Serious data breach by London gender identity clinic
Leading lawyer says data breach by the Charing Cross Gender Identity Clinic likely to lead to substantial claims for compensation
Posted on 06 September 2019
A leading human rights and information law lawyer has said that today’s actions of the Charing Cross Gender Identity Clinic, in mistakenly revealing the identities of almost two thousand of its patients, are likely to lead to substantial claims for compensation by those affected.
Tavistock and Portman NHS Foundation Trust, the NHS body responsible for the Charing Cross Gender Identity Clinic has issued a short statement this afternoon stating that “due to an error”, a group email concerning an art competition was sent to patients at the Clinic with the email addresses of all recipients of the email visible.
The Trust refers to the incident as “a serious data breach” and provides contact details for those wishing to access support services. The BBC have reported that two separate emails were sent out by the Clinic with the details of about 900 patients visible in each.
Shon Faye, one of the affected patients, has referred to the incident being a horrendous breach of privacy that could have an impact on people’s lives and stated that “it could lead to people being outed to family members or to their communities as being trans, where it may be a risk to them being known to be trans. That could be hugely dangerous to their wellbeing and safety.”
The incident is likely to represent a breach of the duty of confidence that the Clinic owes to its patients, a misuse of the medical information it holds for them, a breach of the General Data Protection Regulation in relation to the Clinic’s obligations to hold patient information securely and a breach of the patients’ human rights in relation to respect for their private life
The Trust is now likely to face a very substantial fine, almost certainly running into the millions of pounds, from the Information Commissioner’s Office, the UK’s data protection watchdog, for failing to keep patients’ personal information safe.
Sean Humber, from the human rights team at Leigh Day, who has successfully acted in dozens of claims for patients relating to the unauthorised disclosure of confidential medical information over the last 20 years, stated:
“This extremely unfortunate disclosure of sensitive personal information is clearly unlawful – being a breach of the duty of confidence owed by the Clinic to each of its patients and a misuse of their private information as well as being a breach of the General Data Protection Regulation. It is also likely to represent a breach of the patients’ right to a private life under the Human Rights Act.
“The number one priority must now be for the Clinic to take whatever steps they can to limit the wider disclosure of this information and provide any support required by those affected. However, given that the information has already been disclosed, affected patients are likely to be entitled to substantial awards of compensation for distress and any other losses suffered as a result of the unauthorised disclosure of their confidential information.
“Even if the breach turns out to have been entirely accidental or occurred as a result of individual human error, this will be no defence to a claim for compensation. Organisations are required to have robust measures in place to prevent these sorts of incidents occurring, something that seems to have been sadly lacking in this case. It is also important to emphasise that claims for compensation by affected patients are entirely separate from any action that the ICO are likely to take.”
If you have been affected by this data breach and wish to receive more information about bringing a claim for compensation then please get in touch by completing our form.