Data protection breach?

Ziegfeldgirl27 · 13-04-2021 10:47pm #1

I called my GP surgery to request a copy of a consultants letter.
The secretary said she would print it out and leave it for me to collect.
I asked if I were to come inside to the reception desk to collect it? She said no there was a bucket outside and any letters to be collected are there.
I arrived at the surgery and in the porch area of the door was a bucket, absolutely filled with envelopes with peoples names on them. I rifled through it until I found my own and left. Obviously I couldn’t help seeing other people’s names on the envelopes.
My own letter contains very sensitive information, it wasn’t until I saw this setup that I realised, how easy it would have been to go in the wrong hands.
Isn’t this a GDPR breach?

Peregrinus · 14-04-2021 7:26am

Short answer: yes. One of the principles relating to processing of personal data is that it must be . . .

"processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures".

Since "processing" includes disclosure and transmission of data, this means that when it is being disclosed or transmitted to you, that should be done in an appropriate way that protects against disclosure to some third party with no right to it. Leaving it in a bucket outside the back door doesn't really seem appropriate.

However there hasn't actually been an unauthorised disclosure here (that we know of); all we have is a system which creates an unacceptable risk that an unauthorised disclosure could be made. That's still a breach of GDPR, but a less serious breach than an actual unauthorised disclosure.

seamus · 14-04-2021 10:21am

Having had the fun of investigating a GDPR breach, the process isn't quite as cut-and-dried as people think it is. People think, "GDPR Breach = report to the DPC, make public statement"

The severity* of the breach is effectively what dictates whether or not the data protection commissioner needs to be informed, as well as whether anyone affected needs to be informed.

It can be a breach of the code, but if it's not severe, then the business is under no obligation to actually tell anyone about it. They are required to record the breach internally, and take corrective action. But if they don't, there's feck all that can be done.

In this case there are clearly insufficient protections in place and sensitive information could be revealed to a third party, however the business knows that no sensitive data has been disclosed - because nobody has reported their letter missing.

I would get in contact nicely with the surgery to register your concern with their practice and how it appears to not comply with their duties under GDPR. At the very least these letters should be held at reception and only handed out to authorised people.

*There are actually several metrics to be assessed to determine the severity

Ziegfeldgirl27 · 14-04-2021 5:26pm

Thank you both so much for your replies!

Mrs OBumble · 14-04-2021 5:56pm

seamus wrote: »

I would get in contact nicely with the surgery to register your concern with their practice and how it appears to not comply with their duties under GDPR. At the very least these letters should be held at reception and only handed out to authorised people.

Agree.

I wonder what level of assurance the receptionists should take to auure the identity of the collector.

Also whether it really is the time to address the widespread suspension of some GDPR compliant procedures in the health service yet. We still have 400 Covid cases today.

Peregrinus · 15-04-2021 3:06am

Mrs OBumble wrote: »

Agree.

I wonder what level of assurance the receptionists should take to auure the identity of the collector.

If someone comes in and says that they're here to pick up a referral letter for Mrs O'Bumble, that's a reasonably strong indicator that that someone is either Mrs O'Bumble herself, or someone sent by her to pick up the letter; how else would they know that the letter is there to be picked up?

Obviously, you could toughen procedures still further; you could require that Mrs O'Bumble pick up the letter herself, or notify the surgery in advance of the identity of the person who will pick it up, and also require that identity be established with a photo ID at the time the letter is picked up. But at some point diminishing returns sets in; the onerous effect of increasingly stringent security processes outweighs the marginal improvement in security that they deliver. GDPR doesn't require absolute security; just appropriate processes that ensure security. That word "appropriate" definitely leaves space for some practical judgment calls of this kind.

Certainly I'd be much more comfortable defending a practice of holding letters behind the counter until asked for as an "appropriate process" than I would the practice of leaving the letters in a bucket in the street for anyone to pick up.

Victor · 15-04-2021 9:46am

In present circumstances, the method of dealing with this is for the letters to be kept safe, the patient to phone when they are outside and a staff member to then place the letter outside, in view of the patient.

Peregrinus · 15-04-2021 10:00am

Here's a though: wouldn't it be simpler just to post or email a copy of the letter to the patient?

Victor · 15-04-2021 10:46am

Peregrinus wrote: »

Here's a though: wouldn't it be simpler just to post or email a copy of the letter to the patient?

The patient may need the letter on short notice.

Peregrinus · 16-04-2021 2:24am

Victor wrote: »

The patient may need the letter on short notice.

The OP doesn't suggest there was any particular urgency, and also reports that the bucket was "absolutely filled" with letters to people. This suggests that this is the standard way in which the practice in question provides copies of referral letters.

Yyhhuuu · 16-04-2021 2:34am

Peregrinus wrote: »

The OP doesn't suggest there was any particular urgency, and also reports that the bucket was "absolutely filled" with letters to people. This suggests that this is the standard way in which the practice in question provides copies of referral letters.

Many doctors I know would be too mean to post a letter.

Ziegfeldgirl27 · 16-04-2021 7:45am

Peregrinus wrote: »

The OP doesn't suggest there was any particular urgency, and also reports that the bucket was "absolutely filled" with letters to people. This suggests that this is the standard way in which the practice in question provides copies of referral letters.

This is correct, there were hundreds of letters in the box. I was advised on Thursday that my letter was printed and ready to collect, I advised that I was working and wouldn’t be able to attend to collect it until Monday (thinking that I had to arrange a date and time with them). So I also have reason to believe that my letter was in the box from Thursday until Monday.

Data protection breach?

Comments