NHS Foundation Trust leaks patient email addresses

On the 6th September the Tavistock and Portman Clinic sent out an email inviting just under 2,000 patients to participate in an art competition. Unfortunately for the clinic, all the email addresses were visible to all the recipients.

An initial assessment of this could merely be that the staff member was poorly trained in data protection and should have put the names in the BCC field. It’s unfortunate for the recipients, but no real harm will come of it. There is however a rabbit hole we can and will go down.

The first thing to consider is ‘the risk to the rights and the freedoms of natural persons’. This is the terminology and the test that the Information Commissioners Office (ICO) will apply when determining how much damage has could be done. Superficially an email address is just an address. The important consideration here is that it was sent to patients of the Tavistock Clinic which helps transgender children. It can therefore be reasonably assumed that the address is for a potentially vulnerable child. This information will be sought out by people who seek to harm or exploit the data subjects.

Looking deeper, what was the purpose of the email and how does that relate to the core services offered? Is the invitation to take part in an art competition part of the core service of the clinic? Is there some therapeutic aspect to the art? Whilst the content of the email is not available at the time of writing, were patients invited to reflect on their experiences through art? Certainly, the lawful basis for processing could be Legitimate Interest (LI) under those circumstances. It would raise serious questions about whether and how the art should be stored, displayed and judged. Was the art going to be assessed from a psychological perspective? A Legitimate Interest Assessment (LIA) would be crucial under all these circumstances.

If the purpose was merely to provide a shared diversion, the email will have required Consent.

Information relating to the sex life or sexual orientation of person is classed as special category data (SCD). It would therefore be reasonable to assume that in this context the email address itself is SCD. Regardless then of consent or LI as the basis for processing, this imposes a new set of obligations on the data processor. One of which is to find a specific lawful basis for the processing. A review of the options available suggest that finding an applicable lawful basis is not straightforward.

Management will to refer to their ‘Email, Text and Internet Use Procedure’. This was published in October 2015 and was due for review September 2017 although hasn’t been.

It states:

6.4.14 Unless you have permission to share people’s contact details you should not do so; this applies to all external contacts but may, in certain circumstances, apply internally as well. To avoid inadvertently sharing other people’s email addresses, recipients should be selected in the ‘Bcc’ box, not the ‘To’ box. This method is also useful if you wish to keep your recipients from knowing who the other recipients are, and prevents recipients starting new ‘reply-all’ email trails, which can often multiply alarmingly.

The guidance is to therefore ‘Use BCC’ and the member of staff didn’t. The temptation at this point may be to point a finger at the member of staff. There are issues with this. Firstly, how was the activity approved? Was an LIA undertaken? Were controls in place? Was the member of staff trained? Did management take responsibility for ensuring that staff have read and understand correct procedures? What technical measures were identified? Lastly, why was email used at all?

In 2016 The 56 Dean Street Clinic had a very similar issue under the previous data protection regime and was fined £180k out of a maximum of £500k and received considerable reputational damage as a result. A software solution should have been in place to ensure that this didn’t happen. Software exists to quarantine mail to multiple outside recipients until approved by a manager. Behavioural analysis software could have identified that this was out of the ordinary behaviour and flagged it. The ‘easiest’ solution would have been to use a mass mailing service that would have also allowed users to manage their consent. Easiest was in quotes as there are considerable privacy considerations with how mailing services can and do use your data and combine it with data from other sources.

Whilst the analysis raises more questions than answers, what is clear is that there was managerial failure to assess the risks and put appropriate controls in place. There is clear precedent for a large fine and the fact that high profile precedent exists, which should have been a lesson to the clinic is damning. The fine will likely be considerable although its effectiveness will be questionable; do consider that the NHS is a part of the Department of Health and Social Care and will pay any fine to HM Treasury (who funds the Department of Health and Social Care) as instructed by the ICO sponsored by the Department of Culture Media and Sport. It’s quite circular.

Fines aside, there are lessons everyone can learn from this. To avoid the same issue yourself, you should:

  • Understand what activities your organisation is undertaking and the risks involved
  • Always consider the risk associated with personal data given the context in which it is held
  • Ensure that your staff have appropriate training
  • Ensure your policies are up to date, relevant and understood
  • Have appropriate systems in place to mitigate any unacceptable risks
  • Have appropriate knowledge available to you to help you manage the risks

The Tavistock and Portman NHS Foundation Trust have released a statement click here to read.

If you need it, our experts can help. Please contact us by emailing us at help@protecture.org.uk or call us on 020 3691 5731.