A recent leak of patient data has called into question the data protection practices of Lloyds Pharmacy. A parcel containing the prescription records of hundreds of Lloyds pharmacy patients is believed to have been intended for an NHS recipient, but mistakenly reached a personal home 300 miles away instead.
When the unintended recipient opened the box, she was shocked at the mass of details she found, assuming they were intended for the NHS prescription services in Bolton.
While Lloyds Pharmacy has placed the blame on an external courier service who mistakenly delivered the parcel, they may not be able to sidestep their ultimate responsibility for the control and handling of their own data in accordance with the GDPR. The incident undoubtedly highlights the risks organisations take when entrusting an external party with the safety of confidential records.
Managing the risks of sending data and data protection practices
A case such as this can also bring the issue of physical records to the fore, raising the question about how safe it is to send hard-copies of patient information and what is best when it comes to data protection practices.
Sending information in the post undoubtedly bears certain additional risks. That being said, sending digital files is by no means risk-free, and data handlers must take the necessary precautions to prevent unauthorised access to private data. When sending data by email, it is important to take steps like password protecting attached files with a unique password each time. It has to be remembered that some emails often travel through several servers before reaching the recipient, and so the risk of exposure remains.
What does best practice look like for physical data protection?
It is important to approach the data protection practices and the matter of paper records systematically. As we have seen, it only takes one error for data to be exposed. There is no one-size-fits-all approach, but some employee rules could include:
- Making any notes about data on a word processor rather than on paper, then deleting them;
- Clearing your working area of any paper records after each working day;
- Destroying paper records of personal data in an appropriate and timely manner.
It is all about making sure that the risk of exposure is erased, or at an extreme low. There are plenty of things that can be done, and should be done, to be able to properly comply with the law.
The Data Leak Lawyers- identifying breaches of regulations
We understand that it can be difficult to identify what constitutes as a breach of the GDPR, which is why we, The Data Leak Lawyers, offer free and no-obligation advice to anyone who thinks they may have been the victim of a data protection breach.
Organisations should not be allowed to sit comfortably with the knowledge that they have put your private data at risk and should be held responsible for any potential and actual damage they have caused.
As such, if you are worried about a data protection breach, please do not hesitate to contact us, as you may be entitled to compensation; particularly if the breach has caused you significant emotional distress.
We possess expert knowledge of the legal ins and outs of data leak claims and accountability for poor data protection practices, but we won’t overcomplicate things, carefully guiding you through every step of the claim process.