Royal Cornwall Hospitals NHS Trust has acknowledged that breached the Data Protection Act on two occasions and has signed an undertaking with the Information Commissioner’s Office. According to a press release issued by the ICO today:
The first breach happened in July 2010 when an individual received a response to a subject access request for information the Trust held about them. Instead of sending the requester information solely about them, the Trust disclosed someone else’s information. A similar disclosure occurred in December 2010 when the same requester received a second subject access response containing third party information.
The undertaking really doesn’t add more detail on the incidents.
It seems like the ICO wants to make a point of telling data controllers to be careful in responding to data subject requests for records. That’s certainly a good point, but doesn’t really explain why he didn’t take the opportunity to offer a timely reminder about the need to secure diagnostic devices that store patient data.
Given how everyone is concerned about brand or reputation damage, it would be nice to know how the ICO decides which undertakings should result in a press release and which won’t.