ICO (UK) - United Lincolnshire Teaching Hospitals NHS Trust
ICO - United Lincolnshire Teaching Hospitals NHS Trust | |
---|---|
Authority: | ICO (UK) |
Jurisdiction: | United Kingdom |
Relevant Law: | Article 12(3) UK GDPR Article 15 UK GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 13.12.2024 |
Published: | 19.12.2024 |
Fine: | n/a |
Parties: | United Lincolnshire Teaching Hospitals NHS Trust |
National Case Number/Name: | United Lincolnshire Teaching Hospitals NHS Trust |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | ICO (in EN) |
Initial Contributor: | ao |
The DPA issued a reprimand to a hospital trust for failing to adequately track data access requests and for not responding to approximately 32% of those requests in due time.
English Summary
Facts
The United Lincolnshire Teaching Hospitals NHS Trust functions as an organisational unit within the National Health Service in the UK. The UK DPA (Information Commissioner – ICO) launched an ex-officio investigation against the NHS trust, here the controller.
During the investigation, the controller confirmed that between the 1 March 2021 and 31 March 2022, it had failed to respond to 32% of access requests within the statutory timeframe of one month. It informed the ICO that it had responded to approximately 68% of access requests within one month. However, the controller noted that there were deficiencies in its system for logging the access requests and that the accuracy of the data provided to the ICO could not be guaranteed. Specifically, the controller could not specify how many access requests had not been answered yet.
The controller detailed that its access request management system had not been fit for purpose and that it had changed to a different improved system in 2024.
Holding
The ICO issued a reprimand to the controller as it was unable to demonstrate compliance with Articles 12(3) UK GDPR, Article 15(1) UK GDPR and Article 15(3) UK GDPR between the 1 March 2021 and 31 March 2022.
The ICO stated that the controller had infringed Article 12(3) UK GDPR as it could not determine the number of access requests to which the extended statutory timeframe of three months applied. Further, it breached Article 12(3) UK GDPR as it could not determine how many access requests were still in its backlog.
Also, the controller had breached Article 15(1) UK GDPR and Article 15(3) UK GDPR for failing to respond to access requests and any further copies of personal data.
The ICO welcomed the implementation of a new system with adequate tracking functions of incoming access requests. The ICO highlighted that although the controller still has a significant backlog of access requests it showed improvements.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
DATA PROTECTION ACT 2018 AND UK GENERAL DATA PROTECTION REGULATION REPRIMAND TO: United Lincolnshire Teaching Hospitals NHS Trust OF: Trust Headquarters, Lincoln County Hospital, Greetwell Road, Lincoln, LN2 5QY 1. The Reprimand 1.1 The Information Commissioner (the “Commissioner”) issues a reprimand to United Lincolnshire Teaching Hospitals NHS Trust (the “Trust”) in accordance with Article 58(2)(b) of the UK General Data Protection Regulation (UK GDPR) in respect of certain infringements of the UK GDPR. 1.2 The Commissioner decided to issue a reprimand to the Trust in respect of the following infringements (the “Infringements”) of the UK GDPR: i. Article 12(3) UK GDPR which states: “The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by 2 electronic means where possible, unless otherwise requested by the data subject.” ii. Article 15(1) UK GDPR which states: “the data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data” and the information described in Article 15(1)(a)-(h). iii. Article 15(3) UK GDPR which states: “the controller shall provide a copy of the personal data undergoing processing”. 1.3 The Trust confirmed that during the period between 01 March 2021 to 31 March 2022 (the “relevant period”), it had failed to respond to 32% of Subject Access Requests (“SARs”) within the statutory timeframe of one calendar month thereby infringing Articles 12(3), 15(1) and 15(3) of the UK GDPR. 2. Background 2.1 The Trust is one of the biggest acute hospital trusts in England. The Trust has three main hospitals serving a population of around 769, 474 people a year1. The Trust provides acute and specialist services to people in Lincolnshire and neighbouring counties and primarily operates from four hospital sites in Lincoln, Boston, Grantham and Louth. It has an annual income of £740 million2 and approximately 9,136 employees3. 2.2 During the investigation, the Trust outlined its processes and procedures for logging and managing SARs. It provided internal policy 1 Annual Report and Accounts for the year ended 31 March 2024, p. 8 2 Annual Report and Accounts for the year ended 31 March 2024, p. 9 3 Annual Report and Accounts for the year ended 31 March 2024, p. 70 3 and guidance documents relating to the management of SARs. 2.3 In addition, the ICO undertook a voluntary audit of the Trust between 29 November 2021 to 15 December 2021 and a follow-up audit in June 2023 which focused on the Trust’s compliance with the Governance and Accountability and Data Sharing requirements of the UK GDPR and the Data Protection Act 2018 (the “DPA 2018”). 3. The Commissioner’s Findings Article 12(3) Article 15(1) and Article(3) 3.1 The Trust informed the Commissioner that during the relevant period, it had responded to approximately 68% of incoming SARS within the one- month statutory timeframe. 3.2 The Commissioner also considered further information provided by the Trust during the investigation regarding deficiencies with its system for logging and managing SARs. 3.3 For the relevant period and throughout the investigation, the Trust stated that there were issues with the quality of data it had provided to the Commissioner and it could not guarantee the accuracy of its quantitative data. 3.4 Of most concern for the relevant period, was that the Trust was unable to accurately account for the number of SARs in its backlog. However, the Trust acknowledged that it had a large number of outstanding SARs that were over one month old. 3.5 The Trust was unable to accurately demonstrate its compliance with the requirements of Article 12(3), Article 15(1) and Article 15(3) UK GDPR. In particular, the Commissioner noted that : 4 i. For the relevant period, the Trust was unable to confirm the number of SARS to which the extended statutory timeframe of three months applied in accordance with Article 12(3) UK GDPR. In addition, the Trust was also unable to confirm how many SARs had been responded to within this extended statutory timeframe. The Trust confirmed in its responses dated 29 April 2021 and 15 September 2022 that its inability to provide this information was because the Trust’s case management system did not have the functionality to record this information. ii. In a response dated 18 November 2022, the Trust advised that the quantitative data it had previously provided in respect of the relevant period was inaccurate because it included requests for deceased individuals’ records. Recital 27 UK GDPR confirms that the UK GDPR does not apply to the personal data of deceased persons. Accordingly, such requests are not subject to the requirements of Article 15 UK GDPR and should not have been included in the quantitative data provided to the Commissioner. iii. In the same response dated 18 November 2022, the Trust confirmed that its previous case management system had not been fit for purpose and had regularly failed, leading to issues with the quality of the data. The Trust confirmed that it had migrated to a new case management system between May 2022 to November 2022 but further work was required to ensure that the system could provide the performance data required. The Trust stated that although the accuracy of its quantitative data had been improving, the accuracy of the SARs data provided to the Commissioner in respect of the relevant period could not be guaranteed. iv. The Commissioner asked the Trust to provide fresh quantitative 5 data for two further compliance periods, from 01 December 2021 to 30 November 2022 and 1 April 2023 to 31 March 2024. The Trust advised that there were still issues with its data quality and that whilst it had been as accurate as possible, it could not guarantee the quality of all the data disclosed and it was aware of a number of ongoing issues. v. In its final response dated 18 April 2024, the Trust confirmed that it had concluded the procurement of a new solution in March 2024 to support the management of the Trust’s Records of processing activities (the “ROPA”) and provide a bespoke SAR care management system. vi. The Commissioner notes the Trust’s acknowledgement that a lack of oversight and the resource provision for processing SARs had not been addressed for several years. Notably during the relevant period the Trust was still working primarily with paper records and this presented a significant challenge for the Trust when processing SARs. Handling paper records and preparing them for disclosure was a time-consuming process and placed a heavy burden on staff resource. vii. This lack of oversight and resource was compounded by the Covid-19 pandemic which led to resource prioritising and redeployment of clinicians and difficulties in physically retrieving the Trust’s records. 5. Remedial steps taken by the Trust 5.1 The Commissioner has considered and welcomes the remedial steps taken by the Trust to address its SAR compliance and the backlog of SARs. In particular, the development of an Information Asset 6 Management Strategy (IAMS) and the procurement of a bespoke system to support the management of the ROPA which meets the requirements of the NHS England Asset Register and provides better oversight of requests via the SARs module. 5.2 The Commissioner also notes that: the Access to Records Policy has been updated; formal staff training has been provided on SARs; and additional staff have been recruited on a temporary basis. 5.3 The Trust are planning to digitise patient records in accordance with NHS England’s Plan for Digital Health and Social Care4 which aims for all integrated care systems and their NHS Trusts to have core digital capabilities, including electronic health records, in place by March 2025. However, the Commissioner recognises that this will be a significant undertaking for the Trust. 5.4 Whilst the Trust continues to have a backlog of SAR cases, as a result of the above remedial steps, the Commissioner notes that the backlog of SAR cases is improving. 6. Decision to issue a reprimand 6.1 Taking into account all the circumstances of this cases, including the remedial steps identified above, the Commissioner has decided to issue a reprimand to the Trust in relation to the Infringements of Articles 12(3), 15(1) and 15(3) of the UK GDPR as set out above. 6.2 The Trust were invited to provide representations. On 11 December 2024 the Trust notified the ICO that it did not intend to make any representations. 7. Further Action Recommended 4 A plan for digital health and social care - GOV.UK 7 7.1 The Commissioner has set out below certain recommendations which may assist the Trust in rectifying the infringements outlined in this reprimand and ensuring the Trust’s future compliance with the UK GDPR. Please note that these recommendations do not form part of the reprimand and are not legally binding directions. As such, any decision by the Trust to follow these recommendations is voluntary and a commercial decision for the Trust. For the avoidance of doubt, the Trust is of course required to comply with its obligations under the law. 7.2 If in the future the ICO has grounds to suspect that the Trust is not complying with data protection law, any failure by the Trust to rectify the infringements set out in this reprimand (which could be done by following the Commissioner’s recommendations or taking alternative appropriate steps) may be taken into account as an aggravating factor in deciding whether to take enforcement action - see page 11 of the Regulatory Action Policy Regulatory Action Policy (ico.org.uk) and Article 83(2)(i) of the UK GDPR. 7.3 The Commissioner recommends that the Trust should consider the following steps to improve its compliance with UK GDPR: (i) Adhere to the IAMS. (ii) Complete and maintain the ROPA to ensure that it is consistent with the requirements of Articles 30(1) and 30(2) UK GDPR. (iii) Respond to all outstanding SARs in the backlog in line with Articles 12(3), 15(1) and 15(3) UK GDPR. 8 (iv) Respond to SARs within the relevant statutory deadlines to ensure compliance with Article 12(3), 15(1) and 15(3) UK GDPR. (v) Continue to monitor SAR compliance, ensuring the appropriate oversight by senior management. (vi) Ensure that it has adequate staff resources and training in place to process and respond to SARs, in line with Articles 12(3), 15(1) and 15(3) UK GDPR. (vii) Consider any additional improvements that can be made to the SARs handling process. Dated 13 December 2024