In advice to it’s staff, Southern Health publicises that Gloucester Police have been fined £80,000¹ for disclosing 56 names and email addresses by failing to use the BCC facility! The police realised their error two days later and recalled the emails.
The words, POT, KETTLE, BLACK come to mind. Southern Health made the same mistake in September 2017. At a Board Meeting on 26.09.17, a member of the public stated:
To avoid breaching the addressees’ privacy again, CRASH will not be publishing the errant email – just the Trust’s answer – also from the Board Meeting Minutes:
In short, no answer at all. Kicked into the long-grass: to the best of our knowledge and belief, the ‘offending’ email was not recalled.
And note that the full public statement is ‘sanitised’ in the body of the Minutes as, Issues relating to data security, whilst the full statement is posted separately from the Minutes on Southern Health’s web site as an Appendix here→. How many just read the Minutes and then look for separate document? There is no logical reason why the Minutes and Appendices should not be in one document.
CRASH, Dr Sara Ryan and others have considerable experience of Southern Health’s compliance (or lack of it) with information governance legislation over the years. The Trust clearly has been reading Dilbert.com.
Recently, there has been another very serious breach of data protection legislation, which cannot be reported for legal reasons.
In Memoriam – ‘Vital Interests‘ Exemption
Despite Southern Health’s record on data security , when they can disclose data legally in the ‘vital interests’ of a patient (Sch. 3(3) of The Data Protection Act 1998¹), they don’t.
Wherever we go, it’s hard to avoid Southern Health. This sad epitaph is at Hythe Marina overlooking Southampton Water.
A 20-year old lad told a therapist at Antelope House that he intended to end his life.
They told the family he had made an appointment, but not that he had threatened to kill himself.
“Our staff work hard to assess risk and agree a balanced response with each patient, taking into account their wishes about confidentiality.”
Nonsense! Many staff work hard, but, in this case, aside from the obvious ‘vital interests’ test) Southern Health had broken confidentiality already in telling the family he had an appointment at a mental health unit. Common sense might have been a useful asset too!
Perhaps Dr De Wet, you should work harder to train your staff in matters relating to The Data Protection Act and also tell them to use their common sense if there is a threat to life. ‘Data Protection myths and realities‘ is perhaps one of the best papers published by the Information Commissioners Office:
“Data protection law reinforces common sense rules of information handling, which most organisations try to follow anyway.
“Some organisations understandably err on the side of caution and do not release information when they could do so.”
¹ The Data Protection Act 1998 was replaced by The Data Protection Act 2018 and The General Data Protection Regulations (“GDPR”) from 25 May 2018. Harsher penalties are available under the 2018 Act and GDPR but they cannot be applied retrospectively – or Gloucester Police’s fine might have been even higher.