- Posted Wednesday November 21, 2018
Over the past eighteen months I have written a number of blogs on the implications and interpretations of GDPR.
We have all received advice and guidelines on its ramifications, but I wonder if a recent incident at my practice is indicative of the continued confusion.
Let me explain, and see what you think. A retirement property company emailed a list of their residents that needed the Flu vaccination this year. Going through the list of names and flat addresses, a fair number of the patients were not ours.
So, we asked ourselves, is this a GDPR breach? We felt it was and so the next step was to contact our Data Protection Officer (DPO), who was in the Information Governance Department for our area.
Their response agreed with our assessment, which was that GDPR had been breached - but they also said we did not need to take action as it was not us who caused the breach.
I responded to them ‘what do you mean?’, and they replied that it is the care home’s responsibility to report the breach to the ICO – all we can do is advise them of the breach. They told me to just return the email to them, but what is the point of that?
This set me thinking, it’s a bit like turkeys voting for Christmas… you need to report yourself for a breach. How many breaches will get covered up by them not being reported?
I then got in touch with the ICO and without mentioning names I gave them the scenario and they agreed with everything I had been told - yes it seemed like a breach and our DPO was right that the care home should report it, not us.
I then asked why we cannot report this breach ourselves, but the ICO clarified that it is up to the care home to report it and not me. I could report it, and it may be investigated, but the ICO would not be able to discuss the case and findings with me.
Is this a law with little chance of enforcement because it relies so heavily on self-reporting?
I later contacted the care home and they said that all the residents on the list we received had agreed it would be better if one practice came into to do the flu jabs and they thought we would be happy with that.
They did not think it mattered if they were not our patients and, in any case, it was easier for them to get the jabs done on one day. I am still discussing this matter with them, but they tend to say they have not done anything. Should there be any developments then I will let you all know.
Have you found yourself in any tricky positions in the months following GDPR? Let us know in the comments below. FPM members can access the GDPR Toolkit for a wealth of information and resources.