London Gender Identity Clinic fined for serious data breach of patient information
Leading information law solicitors confirm that patients of the Gender Identity Clinic affected by its 2019 data breach are likely to be able to claim for compensation, following the recent fine imposed on the clinic by the Information Commissioner’s Office.
Posted on 06 July 2022
The Information Commissioner’s Office (ICO) has fined the Tavistock and Portman NHS Foundation Trust, the NHS body responsible for the Gender Identity Clinic (previously known as the Charing Cross Gender Identity Clinic), the sum of £78,400. This was for a breach of the General Data Protection Regulation (GDPR) in relation to the serious data breach it suffered on 6 September 2019 affecting the personal data of an estimated 1,781 patients.
The Gender Identity Clinic (GIC) accepts UK-wide referrals for people with matters relating to gender identity. It was established as part of the Charing Cross Hospital in the West End and moved with it to Fulham in 1973. In 2020 it moved to its present location on the Finchley Road in North London.
As The Guardian reported at the time, on 6 September 2019 a group email containing information concerning an art competition was sent to 1,781 active patients of the GIC. The information was sent in two batches and in both batches the patients’ email addresses were mistakenly entered into the "To" field instead of the "Blind carbon copy" (Bcc) field, as had been intended. The recipients of each group email could therefore see the email addresses of all the other recipients of that email, who they could infer were also patients of the GIC. The majority of the email addresses contained the patients’ names and/or initials but even without this could still be used to identify them.
Following its investigations, the ICO found that, contrary to the requirements of the GDPR, the Trust negligently failed to process patients’ information in a manner that ensured appropriate security of their personal data. The ICO confirmed that the Trust had suffered two very similar incidents involving the use of "To" rather than "Bcc" fields in September and December 2017.
The clinic had failed to learn from these incidents by using an alternative and more appropriate method for sending mass emails (despite seeming to have access to a suitable solution), limiting the maximum number of emails that could be sent at any one time and having a procedure for another member of staff to double-check emails before sending them out.
The ICO were also critical of the decision of the GIC to send out the email in the first place saying that the patients had not clearly consented to their personal data being used for activities not directly related to clinical issues.
The ICO identified the data breach as being a significant contravention of the GDPR and stated that “the infringement is likely to cause distress to the service users who knew that their names had been disclosed to unauthorised recipients, who could infer that they were receiving support from the Trust with regard to gender identity matters. Further, the service users would be distressed by justifiable concerns that their data has been further disseminated or misused by those who had access to it, even if those concerns do not actually materialise. The Commissioner considers that such distress was likely to be substantial having regard to the number of affected individuals and the nature of the personal data involved.”
The ICO also refer to newspaper articles reporting the incident including quotes from affected individuals and refer to the incident as a "horrendous breach of privacy" which could impact people's lives, for example by "outing" individuals who had not informed their family or their community as to their gender status, where there may be "a risk to them being known to be trans. That could be hugely dangerous to their wellbeing and safety”.
While fining the Trust £78,400 for the data breach, the ICO stressed that “given the seriousness, nature and extent of the contraventions described above, the penalty imposed could have been significantly higher, up to £784,400. However, in determining the amount of the final penalty in this case the Commissioner has taken into account the circumstances of the contravention and the public role of the organisation”.
Sean Humber, a data breach specialist and partner at Leigh Day, who has successfully acted in a series of claims for patients relating to the unauthorised disclosure of confidential medical information over the past 20 years, said:
“As the ICO recognised, this was a serious failure by the Trust to keep safe very sensitive and personal patient information. The incident is all the more regrettable because of the Trust’s failure to learn from two earlier incidents and the fact that the email in question is not one that they should have been sending out in the first place as they did not have the required permissions. It is disappointing that the clinic did not treat the valuable personal data it held with the care it deserved, we hope that it has now put much more robust systems in place to prevent anything like this happening again.”
Gene Matthews, a group claims specialist and partner at Leigh Day, who has successfully acted in a succession of large group claims over the past 20 years, added:
"Completely separate from any fine levied by the ICO, affected patients are likely to be entitled to compensation for the distress suffered and any financial losses incurred. As you might expect , this compensation could be considerable in light of the sensitive nature of the information unlawfully disclosed by the Gender Identity Clinic."
If you have been affected by this data breach and wish to receive more information, in complete confidence and without obligation, then please get in touch by completing our form. We can advise you about instructing Leigh Day to act for you in bringing a claim for compensation against the Trust on a ”no win, no fee” basis”.
Sean is an experienced human rights lawyer and privacy breach compensation claims specialist
Gene specialises in consumer law, product liability and data protection claims mainly brought as group claims/ multi-party actions