Almost every organisation with which we come into contact these days is keen to know about us and the way in which we live our lives.
Banks, retailers and even the National Health Service place a premium on what’s known as ‘data capture’ – gathering as much information as they can in order to tailor their goods and services around who we are and what we do.
Companies know the commercial value of such material. They believe that if they know more about our habits, they stand a better chance of selling us their products.
The NHS has even outlined plans to issue us with our own unique barcodes to make treatment more specific and reduce the possibility of mistakes being made in how we’re all cared for.
However, we shouldn’t forget how important data – our personal details – are to us too.
We’ve been reminded of that fact by a series of failures in the way that those details are managed.
Only a fortnight after millions of subscribers to a website helping individuals conduct illicit affairs found their private information posted on the internet, information about nearly 800 patients of a London sexual health clinic run by the NHS have been circulated in a newsletter.
An undisclosed number of those people whose names were included in the e-mail circular had tested positive for HIV. The 56 Dean Street clinic in Soho has put the leak down to “human error”.
Unsurprisingly, the data breach has caused considerable anger and distress among patients and the authorities with the Health Secretary, Jeremy Hunt, describing it as “completely unacceptable”.
The issue overshadowed another lapse of data security which emerged earlier the same day and featured one of the country’s biggest retail brands. A fault with an online “contact us” form on the website of WHSmith meant some customers’ details were sent in error to other users.
Whether health or e-commerce, organisations have a legal responsibility to protect the information relating to those with whom they deal.
Both of these new matters appear to constitute prima facie cases of data misuse. Where that data comprises very sensitive information, such as that relating to someone’s sexual health, a failure to put rigorous systems in place to safeguard privacy is even more serious.
The London clinic at the centre of the latest breach has insisted that not all of those patients whose names featured on the e-mail newsletter were HIV positive.
Even so, those people will doubtless still be dealing with the personal consequences of news reports interpreted as suggesting that everyone on the list may have the condition.
The Information Commissioner’s Office is already reported to have launched an investigation. It has the power to levy fines of up to £500,000 for significant data breaches.
Regardless of such an official inquiry, many of the individuals affected may well be considering whether to take legal action against the NHS under the Data Protection Act or privacy law.
Having handled many claims under the Act and privacy law before, including cases involving the NHS and retail companies, I’m well aware of the complexities of such an action and the responsibilities which those alleged to have breached the legislation have.
Whilst the director of the 56 Dean Street clinic has been apologetic and pledged to “put things right”, I would not be surprised if a number of his patients feel that only by resorting to law can they reinforce their right to the kind of protection which they are entitled.
