Hello

What was the outcome of the complaint?

Just to correct you slightly, the UK GDPR does not require controllers to report every single data breach, rather notifications to the ICO should be made without undue delay but within 72 hours of becoming aware of the breach and only if there is a risk to the rights and freedoms of an individual. Disclosure of medical records could warrant them to self-report but if they don't then they need to have a good justification for not doing so.

You are free to report the organisation directly to the ICO if you so wish my making a complaint and the ICO should investigate accordingly. The organisation is obliged to inform you of your right as part of your complaint.

Hi thanks for your response.

There was no definitive outcome of the complaint as the organisation in question don't even have a formal complaints process, nor a complaints officer to handle complaints. The admin individual who committed the GDPR breach was replying to me for the most part despite my repeated request for an independent complaints officer to handle the matter. Despite my several requests for a copy of their written complaints procedure I was never provided one. It was very much a case of a small company winging it with them not understanding the severity of the complaint nor understanding the importance to have a proper complaints protocol in place.

The outcome therefore was along the lines of 'we thought we had implied consent to disclose medical records' and 'we will therefore be closing your complaint'. This was in a single paragraphed email. Rather surprisingly they didn't bother to put their conclusions in writing with letterhead correspondence. There was no appeals/ ombudsman/ regulatory contact provided either, which I would have thought would be a mandatory requirement when rejecting a complaint. Just a very unprofessional, arrogant outfit. I very much doubt they understand that there are penalties that can be imposed for breaching GDPR.

I work in law myself and whenever there's a complaint it's treated appropriately. Even if we know we've done nothing wrong, the complaints officer needs to be informed, the file needs to be in order and corrective action needs to be done ASAP, concluding with the complaints officer stating in writing whether the complaint is upheld or not and providing an appeals/ independent body, should the client wish to take it further. I am staggered that there are organisations out there that don't understand the ramifications of mishandling a complaint.

Unsurprising if the organisation is a small one and judging from what you have described, I would be surprised if they had any policies on data protection and processing.

medical data is generally considered to be data related to health and therefore is classed as a special category of data so not only does the organisation need to comply with the conditions of processing under Article 6, they also need to comply with Article 9. Implied consent is not one of the criteria under Article 9, and the ICO guidance is useful in understanding what conditions can be relied upon - https://ico.org.uk/for-organisations...category-data/.

Given that they are so blasé about your medical records and don't think it is necessary to inform the ICO, I think you should definitely consider making a formal complaint. Be aware though, the ICO has stated that it will be shifting away from fining companies and instead becoming more educational on how to prevent data breaches and best practice. I think it's madness since the only way to hurt businesses especially the larger organisations like Facebook and Google are financial penalties but hey ho.

You may also want to instigate legal action for breach of your rights under the GDPR and seek compensation based for non-material damages e.g. losses that are not financial such as distress or inconvenience, or if there are financial losses incurred as a result then you could claim that also. How much you claim is fact specific but anywhere from £750 through to a couple of thousand is usually about right. Higher compensation amounts have been awarded where there is a significant risk to individuals but there's currently no general formula for calculating compensation for non-material damages.

Thanks for your replies, you've been incredibly helpful.

Their belief about implied consent was truly baffling as I'd actually told them to NOT disclose anything to the third party unless I consent to it. It's even written on the first page of the document in question 'do not disclose'. Despite this, a record of my medical information (containing several inaccuracies too) was disclosed to a third party without my permission, in fact it was disclosed to a third party before it was even disclosed to me!

I work in RTA so I'm used to how these things work. When a claimant has a medical examination, the claimant must authorise disclosure of the report. I expected the same level of care to be extended to me and it's absolute madness that any organisation processing medical information doesn't have this type of consent-based system in place.

I did make the ICO complaint online yesterday, it was only after submitting it that I thought about time limits so I came here to check if limitation might scupper my efforts.

I did take a look on google for solicitors previously, but I wasn't impressed with many of the websites as they weren't clear about their fees. Ideally if ICO can confirm that there has been a breach then I might issue proceedings myself.

I came across this thread looking for info on how best to deal with a medical breach by an occupational health provider. My case is so similar that I am just going to post it here.
I was referred to OH by my employer after a long term medical leave and I know they sent the report to my employer without my consent. They sent me my report and a few days later I was told by my line manager that she has it. I then contacted the OH company asking about a consent form and they directed me to a section on their site where consent can be given basically failing to admit that they had already disclosed the report. After a few days they contacted me again urging me to finalise consent so that the report can be shared with my employer. This is quite a big company that ought to know better.
I plan to report them to ICO but I am also thinking of challenging them legally. Which court would be appropriate for such a case? I know that data breach compensations are quite low so will it even cover legal fees?