This is another case that demonstrates the importance of getting SARs right. The issues faced by this particular GP surgery highlight similarities with what schools have to contend with when dealing with SARs.
By way of reminder, individuals (including parents, pupils and staff) have a right to a copy of any information that a school holds about them (subject to a number of exemptions). This right is known as a SAR.
The surgery, under pressure from the estranged partner of a female patient, released personal data about their son to him. The 62 page bundle that was released included the woman's contact details as well as those of her parents and information about an older child that the estranged partner was not related to. The bundle also included correspondence with social services and child protection reports. In this case, there had been explicit requests from the patient to take particular care to protect her details.
The ICO did not just hold one individual responsible, but identified the lack of proper procedure, guidance and training within the surgery as the real cause.
The ICO explained that the fine would have been greater if not for the fact that the partners were personally liable to pay the fine, as the surgery is a partnership. It would be likely that other organisations (such as companies, charities and public bodies) would have been issued with a much larger fine in the circumstances. The ICO has the power to fine up to £500,000.
Disclose too little and schools could end up breaching the requester's rights to their information, disclose too much and the school risks infringing the rights of third parties.
This is a particular problem for schools because much of the information they hold will be mixed in the sense that it will be about a number of different individuals. For example, a record of a safeguarding concern might contain personal data about a pupil, mother, father and possibly also members of staff.
If the father makes a SAR for the data, then the school will have to carefully balance the father's right to the personal data against protecting the rights of the pupil, the mother and possibly staff as well.
In the case of the GP surgery, the ICO found that staff had not been given sufficient guidance and supervision. This demonstrates the importance of ensuring that those individuals who deal with these requests are given sufficient training on the issues. In the school setting, this will likely include giving those staff responsible for SARs guidance on: