Teal blue graphic

Subject access requests and confidential information

The Information Commissioner's Office (ICO) has recently fined a GP practice £40,000 following a breach of data protection law whilst dealing with a subject access request (SAR) under the Data Protection Act 1998. 

The practice was held to have wrongly provided confidential medical records and contact details for a patient and her family to the patient's ex-partner, even though the patient had expressly warned the practice that her family's confidential information should be protected. 

Failure to put in place adequate controls

The investigation by the ICO held that a member of staff at the practice had released the confidential information because the practice had failed to put in place effective systems and controls to ensure that staff were adequately trained on how to deal with subject access requests. 

Steve Eckersley, the ICO’s Head of Enforcement, said: “In failing to ensure staff were properly equipped to safeguard against unauthorised disclosures, this medical practice placed a member of its team in the firing line".

Level of the fine

The ICO confirmed that the fine of £40,000 was issued because the partners at the practice would be individually liable. It warned that organisations committing a breach of this scale could expect to receive a much higher fine.

Dealing with subject access requests

The ICO recently reported that 46% of all complaints made to them last year were about SARs and the difficulties people face when trying to get hold of their personal information.  It is therefore vital that organisations ensure that their staff are trained on how to deal with subject access requests and to understand what information an individual is entitled to request.

This fine also highlights the importance for an organisation to check whether the person making the request is the individual to whom the personal data relates. The checks an organisation may undertake should be reasonable in the context of the possible harm and distress to the individual concerned by inappropriate disclosures.

The ICO has produced a range of useful guidance for organisations on how to manage subject access requests, including a comprehensive subject access Code of Practice and a short checklist on handling requests.  

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at October 2016. Specific advice should be sought for specific cases. For more information see our terms & conditions.


Insights & events View all