Compensation could run to millions as thousands hit by NHS data breach

A data breach by the Charing Cross Gender Identity Clinic operated by the Tavistock and Portman NHS Foundation Trust is likely to lead to substantial claims for compensation from around 2,000 patients whose names and email addresses were accidentally released last month (September 2019).

The data breach occurred when two group emails concerning an art competition were sent to the patients with the email addresses of all the recipients visible.

The incident, which has been referred to as ‘a horrendous breach of privacy that could have an impact on people’s lives’ has raised fears that people could be outed to family members or to their communities with the risk of them being known to be trans, affecting their wellbeing and safety.

This incident is likely to be regarded as a breach of the common law duty of confidence that the Clinic owes to its patients, a misuse of the medical information it holds for them, a breach of the General Data Protection Regulation and of the patients’ human rights to ‘respect for their private life’.

The Trust is now likely to face a substantial fine from the Information Commissioner’s Office and with solicitors already instructed, claims for significant compensation from the victims, which - together with legal and court costs - could run into many millions of pounds.

On the Clinic’s side, it now has to take whatever steps it can (after the event) to limit the wider disclosure of this information and provide support to those affected. However, as the information has already been disclosed, it is difficult to see how further damage to the patients concerned can be avoided.

Although the breach appears to have been entirely accidental, or one that occurred as a result of an individual ‘human error’, this will not provide a defence to compensation claims and it is unlikely to carry any real weight with the ICO, whose investigation will focus on how robust the Clinic’s (and possibly the wider NHS trust’s) data protection measures were to prevent these types of incident occurring.

The two lessons that can be taken from the unfortunate incident are firstly, as the use of email is now the standard method of communication, every organisation should have robust data protection procedures and effective staff training in place to minimise the risk of a similar incident. Secondly, and of equal importance, organisations should have in place a well-developed and practised disaster recovery plan that allows them to immediately react to minimise the damage caused by incidents such as this one.

David Sinclair is a senior solicitor at rradar, a specialist litigation and commercial law firm that uses legal expertise and digital tools to proactively reduce legal risk. For further information on data and cyber security, contact David at: David.sinclair@rradar.com or visit https://www.rradar.com/cyber-data-and-information-law