Robert Richardson was understandably filled with shock and dismay when he made an inadvertent discovery that his health records had been accessed and his personal and private details shared without his consent.
The unlawful processing related to a data breach that had taken place in 2016, but Richardson, from Hampshire, UK, only discovered the breach after submitting a DSAR (Data Subject Access Request) to Southern Health NHS (National Health Service) Trust, two years later.
Now the Trust has held its hands up, saying it fell short in its duty to safeguard patient data and to uphold data privacy standards. The incident involved a Trust worker accessing and sharing Mr Richardson’s confidential information without consent.
According to Mr Richardson’s legal representatives, the discovery took place after the 61-year-old asked the local council for a replacement front door to his property. New Forest District Council then contacted the relevant NHS department to ask whether Mr Richardson was known to mental health officials.
Mr Richardson said:
“I asked the local council to replace my front door for added security for my family, but they were not forthcoming. I had concerns about what was happening internally at the council in relation to my request.
“I proceeded to make a Right of Access request only to discover that they had contacted the NHS with the suspicion that I was suffering mental health issues.
“I was stunned and very upset to discover that this had taken place without my knowledge, or consent, and even more upset that the NHS had proceeded to access my private medical records to confirm to the council that I had not been a mental health patient, again without my knowledge or consent,” he added.
“This followed a simple request to have the back door of my property replaced and at no point did the council, or the NHS, ask permission to share my private information,” Mr Richardson continued.
Representing Mr Richardson, James Kelliher, litigation executive at cyber-security specialist, Hayes Connor Solicitors, said:
“The Trust admitted that a technical breach of the Data Protection Act had occurred. Our client discovered the breach purely by chance.
“It is concerning that private medical information was accessed and details shared without our client’s consent. Had he not made a Right of Access request the breach would have gone undetected.
“We pursued a successful data breach claim against Southern Health NHS Trust on behalf of Mr Richardson securing £1,500.
“GDPR came into force last year raising awareness of data privacy however, individuals’ private information has been protected by data protection laws for some time pre-dating this, a fact that both the council and NHS Trust should have been well aware of.”
A Southern Health NHS Foundation Trust spokesperson said:
“We take patient confidentiality extremely seriously and work hard to ensure people’s information is processed in accordance with their wishes. In this case, we apologise as we fell short of these standards and have updated our information sharing policy and staff guidance to provide clarification around information sharing requests from third parties.”
The post #Privacy: UK man given £1.5k after DSAR reveals data breach appeared first on PrivSec Report.