Almost 2,000 transgender patients had their personal details leaked by a leading London gender identity clinic last week. A member of staff at The Charing Cross Gender Identity clinic accidentally CC’d patients into an email revealing the names and email addresses of hundreds of other clients.
The leak represents a serious breach of patient confidentiality concerning the dissemination of highly sensitive medical and personal information. The incident was similar to a data breach which involved the email details of 800 patients diagnosed HIV positive being leaked by a clinic on 56 Dean Street in 2015. The Information Commissioner fined the clinic £180,000. However, this was before GDPR was implemented, which is much stricter than its predecessor the Data Protection Act 1998. The new law stipulates that the data processor can be directly liable as well as the data controller and in respect of sensitive data, it requires “explicit consent” for processing data rather than a “legitimate interest”.
The new, tighter data protection regulations also mean much larger fines are issued based on a value of either up to 4% of annual global turnover or the equivalent of €20 million – whichever is greater. Take Facebook for example, which was fined £500,000 by the ICO in the wake of the Cambridge Analytica scandal in October 2018, but which would otherwise have been fined up to £1.2bn under the new regulatory system.
Lessons have not been learnt from the 56 Dean Street email leak regardless of the threat of such large fines. Organisations are entrusted by customers with their private data and have a legal duty to protect it. It’s clear that this warning isn’t always heeded and those responsible need to be held accountable for their actions. Organisations need to prevent data breaches rather downplay their impact. This is particularly true of gender identity clinic case, where the release of extremely sensitive information could cause serious emotional distress to those affected. Indeed, any fine handed down by the ICO could be greatly increased depending on the number of compensation claims for emotional distress. For example, those claimants most seriously affected by the 56 Dean Street leak are likely to receive damages of up to £25,000, with claims assessed on individual merits in terms of the impact to the person. Five figure sums could once again be possible as a result of this latest scandal.
As the ICO stated in addressing the gender identity clinic case, “all organisations processing personal data should do so safely and securely,” and they must communicate any breaches within 72 hours. While the clinic performed the latter dutifully, it fell well short of expectations in its handling of the data initially. Customers deserve better when the consequences of a leak are so damaging – and they should seek the compensation that is rightfully theirs.