ICO slaps £40,000 fine on GP practice for disclosing patient information in error

Subject access requests – a warning. Watch out for third party data in your records.

The GP practice, from Hitchin, is paying the hefty penalty for wrongfully revealing 62 pages of confidential details about a woman and her family to her estranged ex-partner.

The ex-partner asked to see the medical records of the former couple’s son. Staff at the GP practice disclosed the notes which also contained the woman’s contact details as well as information relating to her parents and another child not related to the ex-partner. This is despite express warnings from the woman to staff to protect her confidential details.

The reputation and financial consequences (not to mention the effect on patients) from a wrongful disclosure are incalculable. Such a data security breach could so easily have been avoided. According to the Information Commissioner's Office 46 per cent of all complaints made to the ICO last year were are about subject access requests.

I suspect many will understand how such a mistake can so easily have happened with real pressures of time and resources. But, it shouldn’t, there is no excuse. Most health and care organisations hold sensitive personal data face such requests every day. Staff must be fully trained and prepared to deal with these routine requests. In this case, the ICO investigation found that the GP had “insufficient systems in place to guard against releasing unauthorised personal data to people who were not entitle to see it”. You can read the ICO’s penalty notice here.

How well prepared is your organisation?

It is important that organisations protect their staff by providing proper support, training and guidance. The ICO’s SAR webinar offers organisations some top tips on managing and complying with requests for disclosure of confidential and sensitive personal data.

Do get in touch if you require help or advice.

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.

Posted by


Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R


Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.


Mills & Reeve system for employees.