Dt: Created page with “{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO |DPA_With_Country=ICO (UK) |Case_Number_Name=Staines Health Group |ECLI= |Original_Source_Name_1=ICO |Original_Source_Link_1=https://ico.org.uk/media2/ydzp0vgm/20251216-staines-health-group-reprimand.pdf |Original_Source_Language_1=English |Original_Source_Language__Code_1=EN |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_L…”
|Jurisdiction=United Kingdom
|DPA-BG-Color=background-color:#023868;
|DPAlogo=LogoUK.png
|DPA_Abbrevation=ICO
|DPA_With_Country=ICO (UK)
|Case_Number_Name=Staines Health Group
|ECLI=
|Original_Source_Name_1=ICO
|Original_Source_Link_1=https://ico.org.uk/media2/ydzp0vgm/20251216-staines-health-group-reprimand.pdf
|Original_Source_Language_1=English
|Original_Source_Language__Code_1=EN
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=
|Type=Complaint
|Outcome=Upheld
|Date_Started=
|Date_Decided=16.12.2025
|Date_Published=
|Year=2025
|Fine=
|Currency=
|GDPR_Article_1=
|GDPR_Article_Link_1=
|GDPR_Article_2=
|GDPR_Article_Link_2=
|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=
|National_Law_Name_1=Article 32 UK GDPR
|National_Law_Link_1=
|National_Law_Name_2=Article 33 UK GDPR
|National_Law_Link_2=
|National_Law_Name_3=Article 5(1)(c) UK GDPR
|National_Law_Link_3=
|National_Law_Name_4=Article 5(1)(f) UK GDPR
|National_Law_Link_4=
|National_Law_Name_5=
|National_Law_Link_5=
|National_Law_Name_6=
|National_Law_Link_6=
|Party_Name_1=Staines Health Group
|Party_Link_1=
|Party_Name_2=
|Party_Link_2=
|Party_Name_3=
|Party_Link_3=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Unknown
|Appeal_To_Link=
|Initial_Contributor=
|
}}
The DPA reprimanded a clinic for sharing 23 years’ worth of medical records based on a patient’s request to transmit the records of the last 5 years to their insurer. Furthermore, the DPA found that the clinic failed to ensure security of processing and to report a data breach in time.
== English Summary ==
=== Facts ===
Staines Health Group (the controller) is a General Practitioner clinic.
A patient (the data subject) requested their medical history from the last 5 years to be sent to their insurer by the controller.
The controller allegedly disclosed 23 years of the data subject medical records to their insurer.
=== Holding ===
The DPA found that the controller infringed Article 5(1)(c) UK GDPR, Article 5(1)(f) UK GDPR, Article 32 UK GDPR and Article 33 UK GDPR and issued a reprimand.
Firstly, the DPA noted that the controller shared personal data that were not adequate, relevant and limited to what was necessary in breach of Article 5(1)(c) UK GDPR. Specifically, the DPA found that the controller transmitted the medical records of the past 23 years to the data subject’s insurer even though the request of the data subject referred only to the medical records of the last 5 years.
Moreover, the DPA found that the controller did not ensure the appropriate security of the personal data processing by failing to ensure, among other things, the existence of written guidance for handling insurance requests, thus breaching Article 5(1)(f) UK GDPR and Article 32 UK GDPR.
Finally, the controller did not contact the DPA within 72 hours of being aware of a data breach, in violation of Article 33 UK GDPR.
== Comment ==
”Share your comments here!”
== Further Resources ==
”Share blogs or news articles here!”
== English Machine Translation of the Decision ==
The decision below is a machine translation of the English original. Please refer to the English original for more details.
<pre>
REPRIMAND
Staines Health Group
Reprimand concerning infringements of
Articles 5(1)(c), 5(1)(f), 32, 33 UK GDPR
16 DECEMBER 2025NON-CONFIDENTIAL – FOR PUBLICATION
Contents
I. INTRODUCTION AND SUMMARY…………………………………………………….3
II. RELEVANT LEGAL FRAMEWORK ………………………………………………….5
III. BACKGROUND TO THE INFRINGEMENTS………………………………7
A. Wider context to the Infringements………………………………………….7
B. The report by Staines Health Group ………………………………………….9
C. Damage and distress caused to the Data Subject……………….10
D. Staines Health Group’s relevant procedures, policies and
guidance……………………………………………………………………………………………………..10
IV. THE COMMISSIONER’S FINDINGS OF THE INFRINGEMENT
13
A. Controllership and jurisdiction………………………………………………….13
B. Nature of the personal data and context of the processing
14
C. The infringements…………………………………………………………………………14
V. REPRESENTATIONS ………………………………………………………………………19
2NON-CONFIDENTIAL – FOR PUBLICATION
UK GENERAL DATA PROTECTION REGULATION
CORRECTIVE POWERS OF THE INFORMATION COMMISSIONER
REPRIMAND
DATED: 16 December 2025
To: Staines Health Group
Of: Staines Health Centre, Knowle Green, Staines, Middlesex,
TW18 1XD
I. INTRODUCTION AND SUMMARY
1. Staines Health Group operates as an NHS GP Surgery that offers a
full range of NHS GP services including general healthcare services,
antenatal and postnatal care, chronic disease management, family
planning, vaccinations and minor surgical procedures . It is
registered with the ICO with the registration number of Z7675705.
2. This notice explains the reasons why the Commissioner is issuing
a reprimand (the “Reprimand”).
3. This Reprimand relates to the unauthorised disclosure of 23 years
of a patient’s (the “Data Subject”) medical records to their
insurer when only the last five years’ worth of medical records were
requested.
1
Services – Staines Health Group
3NON-CONFIDENTIAL – FOR PUBLICATION
4. Pursuant to Article 58(2)(b) UK General Data Protection Regulation
2
(“UK GDPR”) , the Information Commissioner (the
“Commissioner”) issues Staines Health Group with the
Reprimand.
5. The Commissioner finds that between 29 May 2024 and 30 July
2024 , Staines Health Group infringed Articles 5(1)(c), 5(1)(f), 32
and 33 of the UK GDPR (the “Infringements”) for the reasons set
out in this Reprimand. In summary:
a. The Infringements relate to the processing of personal data by
Staines Health Group that took place when the Data Subject
required their medical history to be sent to their insurer (Vitality)
by Staines Health Group.
b. The Infringement of Article 5(1)(c) UK GDPR occurred because the
data that was shared with Vitality was not adequate, relevant and
limited to what is necessary in relation to the purposes for which it
was processed.
c. The Infringements of Article 5(1)(f) and Article 32 UK GDPR
occurred because the processing was not carried out in a manner
that ensured appropriate security of the personal data of the Data
Subject using appropriate technical and organisational measures
as required by Articles 5(1)(f) and 32 UK GDPR.
2Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
of natural persons with regard to the processing of personal data and on the free movement of such data, as
it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the
European Union (Withdrawal) Act 2018. For the period 25 May 2018 to 31 December 2020, references in this
Penalty Notice to the UK GDPR should be read as references to the GDPR (Regulation (EU) 2016/679 of the
the processing of personal data and on the free movement of such data) as it applied in the UK during thato
period.
329 May 2024 – Date that the email with the Data Subjects full medical record was sent to Vitality
Insurance
430 July 2024 – Date that Staines Health Group reported the breach to the Commissioner
4NON-CONFIDENTIAL – FOR PUBLICATION
d. The Infringement of Article 33 UK GDPR occurred as Staines Health
Group became aware of a potential data breach when the Data
Subject contacted them on 4 July 2024. The Commissioner was not
made aware of the beach, which was likely to result in a risk to the
rights and freedoms of the Data Subject, until 30 July 2024, more
than 72 hours after Staines Health Group had become aware of the
incident.
6. When considering whether it would be appropriate to impose a
reprimand in this case, the Commissioner has had regard to the
5 6
Regulatory Action Policy and the ICO’s Fining Guidance.
7. Staines Health Group were invited to provide representations.
Staines Health Group failed to provide any representations.
II. RELEVANT LEGAL FRAMEWORK
8. Under Article 58(2)(b), the Commissioner has the power “to issue
reprimands to a controller or a processor where processing
operations have infringed provisions of this Regulations”.
9. Chapter II of the UK GDPR sets out the principles relating to the
processing of personal data that controllers must comply with.
Article 5(1) UK GDPR lists these principles and at subsection (c)
includes the requirement that “personal data shall be adequate,
relevant and limited to what is necessary in relation to the purposes
for which they are processed”. This is referred to in the UK GDPR
as the “data minimisation” principle.
10. At subsection (f) the principles include the requirement that
5
6Data Protection Fining Guidance | ICO
5NON-CONFIDENTIAL – FOR PUBLICATION
“personal data shall be processed in a manner that ensures
appropriate security of the personal data, including protection
against unauthorised or unlawful processing and against accidental
loss, destruction or damage, using appropriate technical or
organisational measures”.
This is referred to as the “integrity and confidentiality” principle.
11. Article 32 UK GDPR (security of processing) materially provides:
“(1) Taking into account the state of the art, the costs of
implementation and the nature, scope, context and purposes of
processing as well as the risk of varying likelihood and severity for
the rights and freedoms of natural persons, the controller and the
processor shall implement appropriate technical and organisational
measures to ensure a level of security appropriate to the risk…
(2) In assessing the appropriate level of security account shall be
taken in particular of the risks that are presented by processing, in
particular from … unauthorised disclosure of … personal data
transmitted, stored or otherwise processed.”
12. Article 33 UK GDPR (notification of a personal data breach to the
supervisory authority) materially provides:
“In the case of a personal data breach, the controller shall without
undue delay and, where feasible, not later than 72 hours after
having become aware of it, notify the personal data breach to the
Commissioner, unless the personal data breach is unlikely to result
in a risk to the rights and freedoms of natural persons. Where the
6NON-CONFIDENTIAL – FOR PUBLICATION
notification under this paragraph is not made within 72 hours, it
shall be accompanied by reasons for the delay.”
III. BACKGROUND TO THE INFRINGEMENTS
13. This section summarises the relevant background to the findings of
the infringement. It does not seek to provide an exhaustive
account of all the details of the events that have led to the decision
to issue this Reprimand.
A. Wider context to the Infringements
14. On 29 April 2024, Staines Health Group received a request from
Vitality on behalf of the Data Subject, stating that the Data Subject
required Staines Health Group to send their medical history to
Vitality Insurance (their insurer). The request was to cover certain
dates for a five-year period. This was regarding a serious illness
claim for a terminal diagnosis that the Data Subject had received.
The request also stated that the medical records be sent to the
Data Subject first to review, before they were then sent on to
Vitality.
15. Instead of five years of medical records being sent to the Data
Subject to review before they were sent to Vitality, Staines Health
Group sent 23 years of medical records directly to Vitality. The
Data Subject has stated that they have had a reduction in the
payout of their claim as a result.
16. Staines Health Group has informed the Commissioner that the
timeline of events was as follows:
a. On 29 April 2024 Staines Health Group received a request from
Vitality on behalf of the Data Subject requesting the Data Subject’s
records for a five-year period.
7NON-CONFIDENTIAL – FOR PUBLICATION
b. On 29 May 2024, Staines Health Group sent an email with the Data
Subject’s medical records covering a period of 23 years directly to
Vitality (the “Disclosure Email”).
c. On 4 July 2024, Staines Health Group received a letter from the
Data Subject raising a concern about the records that had been
shared.
d. On 8 July 2024 Staines Health Group contacted the Data Subject
to inform them that the letter had been received, and they were
looking into the concern.
e. On 12 July 2024, the Data Subject attended an appointment to
discuss their concerns with a GP.
f. On 23 July 2024, the Data Subject confirmed with Staines Health
Group the extent of the information that had been sent to Vitality
in the Disclosure Email.
g. On 29 July 2024, Staines Health Group discussed the incident with
partners.
h. On 30 July 2024, Staines Health Group reported the breach to the
Commissioner.
17. Staines Health Group has informed the Commissioner that the
delay in reporting the breach occurred because the Disclosure
Email, which was sent to Vitality, was stored in a password
protected zip file on a central system. Members of staff are
expected to record passwords onto a central Excel database that
can be accessed by other members of staff if required. For
example, if a member of staff goes on annual leave. In this
8NON-CONFIDENTIAL – FOR PUBLICATION
instance, the member of staff involved failed to record the
password on the Excel database prior to going on annual leave,
which led to a delay in the internal investigation taking place, and
subsequently a delay in the reporting of this incident to the
Commissioner.
B. The report by Staines Health Group
18. On 30 July 2024 at 14:23, Staines Health Group formally reported
a personal data breach by completing the Commissioner’s ‘Report
a data breach’ online form. Staines Health Group reported that an
insurance company (Vitality) had requested medical information on
behalf of the Data Subject between certain dates. Vitality’s request
included a permission form signed by the Data Subject, which
asked for the medical records to be sent to the Data Subject for a
review before being sent to Vitality.
19. The report stated that the records were not sent to the Data
Subject for review and that the member of staff sent the full
medical record to Vitality. It then states that after review Vitality
will not pay out the full amount to the Data Subject as they have
seen all the medical records.
20. The report stated that the member of staff had completed
appropriate training prior to the incident, and that a system was in
place for insurance requests.
21. Remedial measures had been undertaken including the completion
of a significant event form and a discussion with the employee,
with the possibility of disciplinary action. A procedure for requests
to be reviewed and understood was also undertaken. Staines
7
Staines Health Group breach report dated 30 July 2024
9NON-CONFIDENTIAL – FOR PUBLICATION
Health Group stated that further training would be put in place for
all staff.
C. Damage and distress caused to the Data Subject
22. The Commissioner received a complaint from the Data Subject on
30 July 2024. The Commissioner considers that the distress caused
to the Data Subject is serious. The factors that the Commissioner
has taken into account in arriving at this conclusion are:
a. The Data Subject’s terminal diagnosis, which has rendered it all the
more necessary to treat their medical data with care; and
b. The Data Subject stated to the Commissioner that they have
suffered considerable financial harm as a direct result of this
breach .
D. Staines Health Group’s relevant procedures, policies and
guidance
Organisational measures in place prior to the Disclosure Email
23. During his investigation, the Commissioner asked for information
about Staines Health Group’s policies, procedures or guidance in
place at the time in relation to handling medical records requests
from insurance companies.
24. The Commissioner understands that the member of staff
responsible for the incident had received information governance
training on the 11 and 12 March 2024, prior to the incident taking
place. The training is outsourced and delivered by a company called
8
Complaint received from the Data Subject to the ICO on 30 July 2024
10NON-CONFIDENTIAL – FOR PUBLICATION
Practice Index Ltd, who provide bespoke training courses designed
specifically for GP Practice staff.
25. The Commissioner understands that the member of staff
responsible for the incident received training around processing
insurance requests when they first joined the organisation in April
2022 but received no further training or refresher training in this
topic before the incident took place.
26. The Commissioner also understands that at the time of the
incident, there was no written process for staff to fall back on with
regards to processing insurance requests. This led to staff being
required to memorise a process that, as in this instance, they were
shown around two years prior.
27. The data was also inaccessible to staff due to password protections
that were placed on the Excel document. This was due to a member
of staff being on leave. At the time of the incident there were no
contingencies as to how to deal with this. This then caused a delay
in reporting the incident to the Commissioner, as well as delaying
the progress of Staines Health Group’s internal investigation.
28. A copy of Staines Health Group’s information governance policy
was sent to the Commissioner. This policy was created on 28
August 2020 and was due to be reviewed on 1 April 2021. Staines
Health Group confirmed that this review did not take place .
Organisational measures introduced following the Disclosure Email
29. On 6 August 2024, Staines Health Group completed a Significant
Event Report, which aimed to establish the root cause of the
9
Email response from Staines Health Group to the ICO dated 17 February 2025
11NON-CONFIDENTIAL – FOR PUBLICATION
Disclosure Email and what lessons could be learned from the
incident.
30. Staines Health Group told the Commissioner via correspondence
dated 17 February 2025 that it now rarely used passwords in
insurance claim cases like this.10The Commissioner would often
consider the use of passwords to be a means of enhancing data
security, however, in situations such as this where more than one
member of staff is likely to work on the same document, the use
of passwords has potential to cause delays in the handling of data
subjects’ requests for access to their personal information or in
establishing the root cause of a data breach.
31. Staines Health Group drafted a written document that staff can
follow when handling insurance requests.
32. As well as implementing the above measures, Staines Health Group
have made the following changes to their procedure for handling
insurance provider requests:
a. A new column has been added to the working spreadsheet that
notes where patients require sight of their medical records before
they are sent to their insurance company.
b. Additional training was provided to all staff by the Surrey
Heartlands Information Governance Team on 8 October. A patient
confidentiality agreement was sent to all staff and then discussed
in this training.
10
Email response from Staines Health Group to the ICO dated 17 February 2025
12NON-CONFIDENTIAL – FOR PUBLICATION
c. The member of staff responsible for the incident was given a
warning and placed under supervision for a period of six months.
d. The process for handling insurance provider requests has been
amended to include a sign off sheet, which enables staff handling
such requests to ensure the correct steps are followed as set out
in the checklist provided by the sign off sheet.
IV. THE COMMISSIONER’S FINDINGS OF THE INFRINGEMENT
A. Controllership and jurisdiction
33. The UK GDPR applied to the Relevant Processing by virtue of Article
3(1) UK GDPR. The processing took place in the context of the
activities of a controller established in the UK, and none of the
exceptions in Article 2 UK GDPR applied.
34. Staines Health Group was the controller in respect of the
processing. Staines Health Group determined its purpose and
means within the meaning of Article 4(7) UK GDPR and section 6
Data Protection Act 2018 (“DPA”).
35. As the controller of the personal data of the Data Subject and
pursuant to Articles 5(1)(f) and 32 UK GDPR, Staines Health Group
was responsible for implementing appropriate technical and
organisational measures to ensure and to be able to demonstrate
that the processing operations were performed in accordance with
the UK GDPR.
13NON-CONFIDENTIAL – FOR PUBLICATION
B. Nature of the personal data and context of the processing
36. The nature of the personal data in this incident was health data of
the Data Subject who had requested their medical records. Health
data is special category data as defined in Article 9(1) UK GDPR.11
37. The Commissioner acknowledges that as a medical provider,
Staines Health Group is required to process medical data on behalf
of its patients and that this may necessarily include processing
insurance requests on behalf of these patients. In the context of
such an insurance request in the present case, although the Data
Subject consented to their special category data being shared with
12
Vitality, they did not consent to 23 years’ worth of data being
shared.
C. The infringements
38. The fact that an unauthorised disclosure took place is not, in and
of itself, sufficient to find that Staines Health Group has infringed
Articles 5(1)(c), 5(1)(f), 32, and 33 UK GDPR.
39. In order to assess Staines Health Group’s compliance with Article
5(1)(c), the Commissioner has considered whether Staines Health
Group ensured data was adequate, relevant and limited to what
was necessary in relation to the purposes for which they were
processed.
40. In order to assess Staines Health Group’s compliance with Articles
5(1)(f) and 32 UK GDPR, the Commissioner must necessarily
exercise his judgement, as regulator, as to whether Staines Health
11
12What is special category data? | ICO
affected data subjectmber 2024 from Staines Health Group including supporting documentation from
14NON-CONFIDENTIAL – FOR PUBLICATION
Group ensured “appropriate” security, and whether “appropriate”
technical and organisational measures were in place (taking into
account “the state of the art, the costs of implementation and the
nature, scope, context and purposes of processing as well as the
risk of varying likelihood and severity for the rights and freedoms
of natural persons”).
41. In order to assess Staines Health Group’s compliance with Article
33 UK GDPR, the Commissioner has considered whether Staines
Health Group notified the Commissioner without undue delay, and
where feasible, not later than 72 hours after having become aware
of it, of the relevant personal data breach.
42. For the reasons set out below, the Commissioner’s view is that
Staines Health Group has infringed Articles 5(1)(c), 5(1)(f), 32(1)
and 2, and 33 UK GDPR.
Adequate, relevant and limited to what is necessary
43. In assessing whether Staines Health Group processed personal
data in a way that ensured it was “adequate, relevant and limited
to what is necessary in relation to the purposes for which they are
processed” under Article 5(1)(c) UK GDPR, the Commissioner has
considered that the Data Subject was requesting access to their
medical records for the purposes of making a seriousness illness
claim against their insurance policy with Vitality. The Data Subject
requested that five years of medical records be sent directly to
them to be reviewed, before being sent across to Vitality for the
purpose of assessing their claim. The Data Subject had spoken to
Vitality and medical records between 2006 and 2011 were
requested by Vitality from Staines Health Group.
15NON-CONFIDENTIAL – FOR PUBLICATION
44. Contrary to the Data Subject’s request, Staines Health Group sent
23 years of medical records directly to Vitality, without first sending
these to the Data Subject to review. This vastly exceeded the
amount of the Data Subject’s personal data which was necessary
in order to comply with their request and which was required by
Vitality for the purposes of assessing the Data Subject’s insurance
claim. The Commissioner consequently considers this to be an
infringement of Article 5(1)(c) UK GDPR.
45. The Commissioner has also taken into account that at the time of
the incident, there was no written guidance available for staff
outlining the appropriate process for handling insurance requests
from patients and including safeguards, such as a peer review
process, which would have reduced the likelihood of processing the
Data Subject’s personal data inconsistently with their request. The
Commissioner considers that this contributed to Staines Health
Group’s infringement of Article 5(1)(c).
Appropriate security of the personal data
46. In assessing whether Staines Health Group processed personal
data in a manner that ensured “appropriate security of the personal
data” under Article 5(1)(f) of UK GDPR (and, equivalently, the
“level of security appropriate to the risk” under Article 32 UK
GDPR), the Commissioner has considered the risk to the rights and
freedoms to the Data Subject in this incident.
47. In ensuring a level of security appropriate to the risk, Article 32(1)
UK GDPR requires a controller to take into account the likelihood
and severity of the risk to the rights and freedoms of data subjects.
16NON-CONFIDENTIAL – FOR PUBLICATION
48. The Commissioner considers that in this instance, appropriate
measures were not in place at the time of the incident to ensure
the security of the personal data. Due to a lack of written guidance
in place for staff, outlining the appropriate process for handling
insurance requests from patients and including safeguards, such
as a peer review process, which would have reduced the likelihood
of processing the Data Subject’s personal data inconsistently with
their request, the member of staff relied on their memory to
perform the insurance provider request. The Commissioner
acknowledges that since the incident, Staines Health Group has
introduced written guidance for staff, which includes a sign off
sheet that includes what has been requested by the insurance
provider . However, this did not exist at the time of this incident,
and as a result there was no formal sign off structure or checklist
in place for staff. The Commissioner considers this to have been a
contributing factor to the breach, and as a result an infringement
of Articles 5(1)(f) and 32 UK GDPR.
Notification of a personal data breach to the Commissioner
49. In assessing whether Staines Health Group notified the supervisory
authority no later than 72 hours after becoming aware of the
breach, the Commissioner has considered that Staines Health
Group became aware of the breach on 4 July 2024, when the letter
from the Data Subject was received. The Commissioner would
therefore anticipate that the breach would have been reported
within 72 hours of this date. However, the breach report arrived
with the Commissioner on 30 July 2024. Although an internal
investigation was taking place between those dates, Staines Health
13
Email response from Staines Health Group to the ICO dated 24 October 2024
17NON-CONFIDENTIAL – FOR PUBLICATION
Group were aware a breach had occurred on 4 July 2024. As a
result, the Commissioner considers that Staines Health Group
failed to notify his office within 72 hours of becoming aware of the
breach and consequently infringed Article 33 UK GDPR.
Assessment of compliance prior to the Disclosure Email
50. Pursuant to Article 5(2) UK GDPR, it is for Staines Health Group to
demonstrate compliance with Article 5(1)(c) and 5(1)(f). Article 24
UK GDPR also requires Staines Health Group to demonstrate
compliance with Articles 32(1) and (2).
51. Paragraphs 23 to 28 above detail the Commissioner’s findings of
fact in relation to Staines Health Group’s relevant procedures,
policies and guidance in place prior to the Disclosure Email.
52. The Commissioner finds that Staines Health Group breached
Articles 5(1)(c), 5(1)(f) and 32(1) UK GDPR, as there is sufficient
evidence to demonstrate that, despite the known risks to the rights
and freedoms of its patients, Staines Health Group failed to
implement appropriate technical and organisation measures to
ensure a level of security appropriate to that risk. Prior to the
Disclosure Email, Staines Health Group did not:
a. Have any documented policies, procedures or guidance in place to
assist members of staff with processing insurance requests.
b. Provide any refresher training to members of staff with regards to
processing insurance requests.
c. Have a contingency in place to be able to access password-
protected documents where more than one member of staff
required access to it.
18NON-CONFIDENTIAL – FOR PUBLICATION
d. Review and update the information governance policy as it should
have been on 1 April 2021.
53. The remedial measures that have been put in place since the
incident demonstrates that Staines Health Group acknowledges
there were issues with the policies and procedures it had in place
at the time of the incident, and has since sought to address those.
Assessment of compliance following the introduction of
organisational measures
54. Paragraphs 29 to 32 above set out the Commissioner’s findings in
relation to the procedures, policies, and guidance introduced by
Staines Health Group following the Disclosure Email.
55. The Commissioner finds that by 17 February 2025, Staines Health
Group had implemented appropriate measures to ensure an
appropriate level of security of the personal data subject to the
Relevant Processing. The Infringements of Articles 5(1)(c), 5(1)(f)
and 32 of UK GDPR were therefore remedied by that date.
V. REPRESENTATIONS
56. Staines Health Group were invited to provide representations.
Staines Health Group chose not to provide any representations.
Dated: 16 December 2025
Signed:
David Doodson
Interim Head of Investigations
Information Commissioner’s Office
Wycliffe House
19NON-CONFIDENTIAL – FOR PUBLICATION
Water Lane
Wilmslow
Cheshire
SK9 5AF
20
</pre>