NHS England has ruled in an investigation into a Worcester GP data breach after previous findings suggested that the law had not been broken.
In this unusual case, the Severn Valley Medical Practice reportedly posted information online about a patient. Initially, the Practice is understood to have disputed that any data protection breach had occurred. Since then, NHS England and the Information Commissioner’s Office (ICO) both agree that the incident was a failure to comply with data protection obligations.
Another element that makes this case unusual is about allegations made surrounding the Data Protection Officer (DPO) who reportedly claimed there wasn’t a breach in the first place.
Why this Worcester GP data breach is important to look at
We believe that this particular Worcester GP data breach case is an important one to look at. We have what appears to be an attempt by a DPO to dispute that a breach has taken place as part of internal investigations. It has then taken NHS England and the ICO to affirm that the posting of patient information online was a breach.
On the face of it, any posting of patient information online can easily be a medical data protection breach. The issue as to alleged false claims made by the DPO is an additional concern. We ought to be able to trust that a DPO will have the best interests of a data subject at heart. In this case, it appears to look like the incident that stemmed from a Freedom of Information request was being brushed aside.
It’s understood that the DPO has reportedly may have inflated claims about his legal experience and qualifications in the past. This is particularly concerning in an age when data protection is so important, as is clarity when it comes to data security.
Outcome after the finding of the Worcester GP data breach
Now there has been a finding in the Worcester GP data breach investigation, an apology has been issued. It’s also understood that the problems surrounding the original dispute about there not being a breach is also going to be looked at.
Speaking about the incident, the ICO said that Severn Valley Medical Practice had “not complied with their data protection obligations” and that the data in question was “inappropriately disclosed”.