GMC – under any legal obligation to notify you of proven data breaches by doctors?

J Roberts made this Freedom of Information request to Information Commissioner's Office

Automatic anti-spam measures are in place for this older request. Please let us know if a further response is expected or if you are having trouble responding.

The request was partially successful.

Dear Information Commissioner's Office,

I wish to know whether the GMC has any legal obligation to notify you of doctors found by MPTs to have inappropriately accessed patient records. If so:

1. Please provide all relevant information.

2. Please also provide any figures you hold concerning the number of registered doctors or former doctors reported to you concerning the inappropriate accessing patients' records in 2019/20 and 2020/21 by the GMC.

Yours faithfully,

J Roberts

icoaccessinformation, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit:

[1]https://ico.org.uk/about-the-ico/our-inf...

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days. 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

For information about what we do with personal data see our [2]privacy
notice.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found
[3]here.

Twitter

Find us on Twitter [4]here.

 

References

Visible links
1. https://ico.org.uk/about-the-ico/our-inf...
2. https://ico.org.uk/global/privacy-notice/
3. https://ico.org.uk/about-the-ico/news-an...
4. http://www.twitter.com/ICOnews

J Roberts left an annotation ()

This is the sort of case I have in mind, though the doctor in this example was found NOT to have inappropriately accessed the medical records of 11 patients:

https://www.mpts-uk.org/-/media/mpts-rod...

Instead, it was found proved that:

'1. On 2 March 2018, you accessed the medical records of Mrs A on one or more of the occasions as set out in Schedule 1. Admitted and found proved

2. You accessed the medical records of Mrs B on one or more of the following occasions:

a. 22 May 2018; Admitted and found proved
b. 15 June 2018. Admitted and found proved' (page 12)

Mrs A. = fellow partner at practice

Mrs B = wife of one of the other partners in the same practice

ICO Casework, Information Commissioner's Office

11 January 2022

Our reference: IC-149167-Q7K2 

Dear J Roberts,
Acknowledgement of information request 
We acknowledge receipt of your recent request for information. We received
your request on 5 January 2022. 

We will be considering your request under the FOIA. You can expect us to
respond by 2 February 2022. If, for any reason, we can't respond by this
date, we will provide an update. Please note our regulatory approach
during the pandemic linked below. 
[1]ICO regulatory approach
If you have any questions please contact us about this request using the
case reference number above. 

Yours sincerely,

Information Access Team

Information Commissioner’s Office 

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF

T. 0303 123 1113 [2]ico.org.uk [3]twitter.com/iconews

Please consider the environment before printing this email

Please be aware we are often asked for copies of the correspondence we
exchange with third parties. We are subject to all of the laws we deal
with, including the data protection laws and the Freedom of Information
Act 2000. You can read about these on our website ([4]www.ico.org.uk).
Please say whether you consider any of the information you send us is
confidential. You should also say why. We will withhold information where
there is a good reason to do so.
For information about what we do with personal data see our privacy notice
at [5]www.ico.org.uk/privacy-notice
 

References

Visible links
1. https://ico.org.uk/media/about-the-ico/p...
2. https://ico.org.uk/
3. https://twitter.com/iconews
4. https://www.ico.org.uk/
5. https://www.ico.org.uk/privacy-notice

ICO Casework, Information Commissioner's Office

1 Attachment

17 January 2022 

Case Reference: IC-149167-Q7K2 

Dear J Roberts, 

Information request response 

We are now in a position to respond to your information request received
on 5 January 2022. Please find our request response attached. 

If we can be of further assistance let us know. 

Yours sincerely,

Aideen Oakes 

Lead Information Access Officer 

Information Commissioner's Office

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
Please consider the environment before printing this email.
For information about what we do with personal data see our privacy notice
at [1]www.ico.org.uk/privacy-notice.

References

Visible links
1. https://www.ico.org.uk/privacy-notice

J Roberts left an annotation ()

No legal obligation; it is the practice that is obliged to report a breach.

'GP practices are data controllers for the data they hold about their patients. Although almost all practices will have data that are processed on their behalf by third parties, for example their IT system suppliers, it is the practice as data controller that has the responsibility for compliance under the Regulation.' (page 2)

'Under the GDPR it is mandatory to report a breach to the ICO if it is likely to result in risks to people’s ‘rights and freedoms’. The threshold to determine whether a breach needs to be reported depends on the risks. The ICO has yet to produce definitive guidance on breach notification, however, it seems likely that most, if not all, breaches of the confidentiality of confidential health data will amount to a risk which would warrant reporting. A breach must be reported to the ICO no later than 72 hours after the data controller becomes aware of it.' (page 9)

https://www.bma.org.uk/media/1827/bma-gp...

J Roberts left an annotation ()

This doctor was suspended for 4 weeks for accessing the records of colleagues and patients without a legitimate reason:

https://www.whatdotheyknow.com/request/m...

J Roberts left an annotation ()

This doctor was suspended for 4 months:

'2. On or around 31 July 2018 you breached Patient A’s confidentiality when you:

a. sent the Recording to Mr B, via Whatsapp; To be determined...

62. In conclusion, the Tribunal found paragraph 2(a) of the Allegation proved...

3. On one or more occasions on or before 24 August 2018, whilst working as a Locum GP at Boundary House Medical Centre, you breached Patient C’s confidentiality when you:

a. accessed Patient C’s medical records when:

i. Patient C was not your patient; To be determined
ii. you had no clinical reason to view the records; To be determined

b. took photos of Patient C’s medical records. Admitted and found proved...

67. Accordingly, the Tribunal found paragraphs 3(a)(i) and (ii) proved.'

https://www.mpts-uk.org/-/media/mpts-rod...

J Roberts left an annotation ()

This doctor was suspended for 10 months in 2019 then erased in October 2020:

'3. Between April 2016 and March 2017 Dr Muralidharan accessed Patient A, B, and C’s confidential patient records, despite not having a legitimate reason for doing so;

In or around April 2017, during an internal Trust investigation, Dr Muralidharan falsely claimed that she had lost her ‘SMARTcard’ and had been issued with a temporary access pass (the SMARTcard in question had been used to accept Patient A, B, and C’s confidential patient records). The 2019 Tribunal found that Dr Muralidharan knew these statements to be untrue and determined that her actions were dishonest;

4. The 2019 Tribunal found that Dr Muralidharan’s actions amounted to misconduct. It determined that accessing confidential patient records without a legitimate reason amounted to a clear breach of the standard expected.

6. The 2019 Tribunal determined to suspend Dr Muralidharan’s registration for a period of 10 months.'

Hearing dated 02 Oct 2020:

https://www.gmc-uk.org/doctors/7454130

J Roberts left an annotation ()

Summary of outcome - Warning

'4. On 7 October 2019, Dr Al-Zyadi rang Ms B and spoke to Patient A to wish patient A happy birthday. Shortly after the phone call, Dr Al-Zyadi visited the home of Patient A and Ms B with two birthday presents for Patient A together with 3 bags of salmon, tin foil and a bottle of Olive
oil. Ms B reported this incident to the police on 7 October 2019 and to the Patient Advice and Liaison Service (PALS) on 8 October 2019.

7(3). Between 12 September 2019 and 7 October 2019, you accessed and / or obtained Patient A’s home address and telephone number from Worcestershire Acute Hospitals Trust’s (‘the Trust’) computer system:

a. without consent; Admitted and found proved

b. for reasons unrelated to the medical health and / or treatment of Patient A. Admitted and found proved'

https://www.mpts-uk.org/-/media/mpts-rod...

J Roberts left an annotation ()

Conditions imposed for 18 months (in 2019).

'3. ...It was further alleged that on 30 October 2017, Dr Smith attempted to inappropriately access Patient A’s medical records when she was no
longer in his clinical care, whilst well knowing Patient A was vulnerable due to a mental health condition.

4. At the outset of the proceedings Dr Smith, through his counsel Ms Felix, admitted the entirety of the Allegation,

The Tribunal determined to impose conditions on Dr Smith’s registration for a period of 18 months with a review'

(Determination 21 Jan 21)

https://www.gmc-uk.org/doctors/4120331

J Roberts left an annotation ()

ERASURE

'43. The Tribunal, again, found Person A’s evidence to be consistent, and indicative that Dr Joseph’s accessing of her CT scan, without her consent, was done for some purpose other than proper clinical consideration.

50. Dr Joseph’s words to Person A, to the effect that she had underdeveloped frontal lobes which would make her sexually disinhibited, amounted to an explicit sexual reference. The Tribunal had regard to the question of whether or not Dr Joseph was sexually attracted to Person A. It determined that he did have such a sexual attraction, and its reasons for that conclusion are set out in greater detail below.'

https://www.mpts-uk.org/hearings-and-dec...

J Roberts left an annotation ()

From the BBC:

'A pregnant nurse has accused a health trust of sweeping an information breach under the carpet, after her doctor ex-boyfriend accessed her medical records.
...

A spokesperson for the trust said: "Accessing a patient's medical records without clinical justification is completely unacceptable, and is a violation of basic privacy rights as well as patient confidentiality.

"We investigated this incident as soon as we were made aware, took action in line with our policies, and reported the breach to the information commissioner.'

https://www.bbc.com/news/uk-england-nott...

J Roberts left an annotation ()

ERASURE (the data breach is only one part of the decision)

150. Nevertheless, the Tribunal considered that Dr Palouki would have known that she should not have accessed this information without authorisation and should have ensured that it was anonymised before it was shared. The Tribunal considered that there was a potential for the information to have been lost and that, in any event, this breach may have distressed patients to know that their medical records were being used in this way. Further, Dr Palouki’s actions were a serious data breach which required addressing by the organisations involved. The Tribunal considered that Dr Palouki had breached patient confidentiality and in doing so had placed her own needs above those of her patients.

https://www.mpts-uk.org/-/media/mpts-rod...