The Power of Procedure: Data Protection Case Study
It's important to have well-thought-out procedures in place for handling personal data, protecting the privacy of data subjects. A recent case study shows that it's just as importantto make sure staff stick to those processes.
What Happened
The Commissioner received a complaint from an individual who attended at a hospital for medical procedures. The reports from these procedures were delivered to their home address in an envelope with no postage stamp, but a hand written address with the name of a GP and the home address of the neighbour. A hand-written amendment had been made to the address, stating that it was the wrong address.
As many people would, the complainant made further enquiries to their neighbour, who had received the envelope a few days beforehand - and not via a postman. To locate the correct recipient, the neighbour opened the envelope and viewed the contents. When the complainant got in touch with the hospital, the problem was blamed on a clerical error.
The Investigation
After receiving the complaint, the Commissioner's office began an investigation to establish how the error had happened, what procedures the hospital had in place at the time, and what the hospital since had done to avoid repetition of that incident.
As it turned out, the hospital had reasonable procedures in place: normally, it issued medical reports in batches to the relevant GP. Therefore, multiple sets of medical reports are put in a windowed envelope showing the GP's address. The envelopes are franked by the hospital post room before deliver.
In this case, a staff member put the medical report in a non-windowed envelop, and erroneously intermixed the GP’s name, part of the GP’s address and part of the complainant’s address on the envelope. This envelope wasn't franked, so the hospital said it was unlikely that it would have been sent directly from its post room, and may have been sent on by the GP. However, neither the hospital nor the Commissioner could correctly establish how the envelope came to arrive at the neighbour's house, with no information about the correct recipient - which of course resulted in a breach of patient privacy.
What to Learn
In this case, the complainant rejected the apology from the hospital and requested a formal decision from the Commissioner. Obviously, the Commissioner found that the hospital had contravened Section 2(1)(b) (the requirement to keep personal data accurate, complete and up to date), Section 2(1)(d) (the requirement to take appropriate security measures) and Section 2B(1) (requirement for a legal basis for processing sensitive personal data) of the Data Protection Acts 1988 and 2003 in the incident. There are, doubtless, consequences for the hospital arising from the incident and this decision.
As the Commissioner writes, "This case illustrates how a seemingly innocuous deviation by a single staff member from a standard procedure for issuing correspondence can have significant consequences for the data subject concerned." This was an entirely avoidable breach of sensitive patient data, that could have been prevented with adherence to the proper procedures and sufficient training for staff.
Find Out More
See advice for handling initial data protection complaints.
Responding to a Data Protection Complaint
What should all staff members know about data protection?
Essential Data Protection Training for Staff