The ICO has recently published figures for the health care sector data breaches in the period 1/7/20 to 30/9/20 which show that, once again, the health sector is top of the league when it comes to data breach. During that period 442 heath sector data breaches came to the attention of the ICO. This suggests that the underlying problem is  probably far greater.

Why should this be so? And does it really matter?

The health care sector in the UK is enormous! The NHS alone is one of the largest employers in the world, with over 1.3 million staff.

For the NHS a typical day includes:

  • over 835,000 people visiting their GP practice or practice nurse
  • almost 50,000 people visiting accident and emergency departments
  • 49,000 outpatient consultations
  • 94,000 people admitted to hospital as an emergency admission
  • 36,000 people in hospital for planned treatment


Needless to say this level of daily activity produces a huge amount of heath care data, much of which will be extremely sensitive personal data, and patients have the right to expect that information will be looked after.

What data is being handled by the health care sector?

The UK GDPR defines health data in Article 4(15):

“‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”.

Health data can be about a person’s past, current or future health status. It not only covers specific details of medical conditions, tests or treatment; but includes any related data which reveals anything about the state of someone’s physical or mental health.

Health data can therefore include a wide range of personal data, for example:

  • any information on injury, disease, disability or disease risk, including medical history, medical opinions, diagnosis and clinical treatment;
  • medical examination data, test results, data from medical devices, or data from fitness trackers;
  • information collected from the person when they register for health services or access treatment;
  • appointment details, reminders and invoices which indicate that a person has a particular medical condition

Why is health data special?

It’s not just that this type of information might be seen as more sensitive or ‘private’. The recitals to the UK GDPR explain that heath data, along with other types of personal data, merit special protection. This is because (mis)use of this data could create significant risks to the individual’s fundamental rights and freedoms. And in relation to heath data the presumption is that this type of data needs to be treated with greater care because collecting and (mis)using it is more likely to interfere with these fundamental rights or expose an individual to discrimination.

Of course some medical records are more sensitive than others. Details about a person’s mental health breakdown are likely to be much more sensitive than details of a physical injury suffered in an accident at work. And whilst one person may not be worried or upset about the unauthorised disclosure of their medical records; another might be deeply distressed.

So why are these mistakes being made in the health care sector?

The ICO reports that of the 442 health care data breaches, 64 were cyber and 378 non-cyber.

“This suggests that the great majority of health care data breaches are caused by human error” says Sarah Bacchus, a solicitor at DRM Legal. “A large part of the problem is that heath care professionals simply do not understand the law when it comes to the disclosure of their patient’s health data.  Unless the patient consents to the disclosure or the disclosure is required by law, or can be justified in the public interest, then a patient’s medical records should simply not be disclosed to third parties. Whilst improvements have certainly been made to data protection the health care sector, there is still much work to be done”, adds Sarah.

If you think your medical records or heath data may have been wrongly disclosed contact one of our specialist solicitors at DRM Legal and we will advise you if you have a claim for compensation.