Banner1.jpg

ICO (UK) - United Lincolnshire Teaching Hospitals NHS Trust

From GDPRhub
ICO - United Lincolnshire Teaching Hospitals NHS Trust
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law:
Article 12(3) UK GDPR
Article 15 UK GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 13.12.2024
Published: 19.12.2024
Fine: n/a
Parties: United Lincolnshire Teaching Hospitals NHS Trust
National Case Number/Name: United Lincolnshire Teaching Hospitals NHS Trust
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: ao

The DPA issued a reprimand to a hospital trust for failing to adequately track data access requests and for not responding to approximately 32% of those requests in due time.

English Summary

Facts

The United Lincolnshire Teaching Hospitals NHS Trust functions as an organisational unit within the National Health Service in the UK. The UK DPA (Information Commissioner – ICO) launched an ex-officio investigation against the NHS trust, here the controller.

During the investigation, the controller confirmed that between the 1 March 2021 and 31 March 2022, it had failed to respond to 32% of access requests within the statutory timeframe of one month. It informed the ICO that it had responded to approximately 68% of access requests within one month. However, the controller noted that there were deficiencies in its system for logging the access requests and that the accuracy of the data provided to the ICO could not be guaranteed. Specifically, the controller could not specify how many access requests had not been answered yet.

The controller detailed that its access request management system had not been fit for purpose and that it had changed to a different improved system in 2024.

Holding

The ICO issued a reprimand to the controller as it was unable to demonstrate compliance with Articles 12(3) UK GDPR, Article 15(1) UK GDPR and Article 15(3) UK GDPR between the 1 March 2021 and 31 March 2022.

The ICO stated that the controller had infringed Article 12(3) UK GDPR as it could not determine the number of access requests to which the extended statutory timeframe of three months applied. Further, it breached Article 12(3) UK GDPR as it could not determine how many access requests were still in its backlog.

Also, the controller had breached Article 15(1) UK GDPR and Article 15(3) UK GDPR for failing to respond to access requests and any further copies of personal data.

The ICO welcomed the implementation of a new system with adequate tracking functions of incoming access requests. The ICO highlighted that although the controller still has a significant backlog of access requests it showed improvements.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

DATA PROTECTION ACT 2018 AND UK GENERAL DATA
PROTECTION REGULATION
REPRIMAND
TO: United Lincolnshire Teaching Hospitals NHS Trust
OF: Trust Headquarters, Lincoln County Hospital, Greetwell Road,
Lincoln, LN2 5QY
1. The Reprimand
1.1 The Information Commissioner (the “Commissioner”) issues a
reprimand to United Lincolnshire Teaching Hospitals NHS Trust (the
“Trust”) in accordance with Article 58(2)(b) of the UK General Data
Protection Regulation (UK GDPR) in respect of certain infringements of the
UK GDPR.
1.2 The Commissioner decided to issue a reprimand to the Trust in
respect of the following infringements (the “Infringements”) of the UK
GDPR:
i. Article 12(3) UK GDPR which states: “The controller shall provide
information on action taken on a request under Articles 15 to 22
to the data subject without undue delay and in any event within
one month of receipt of the request. That period may be
extended by two further months where necessary, taking into
account the complexity and number of the requests. The
controller shall inform the data subject of any such extension
within one month of receipt of the request, together with the
reasons for the delay. Where the data subject makes the request
by electronic form means, the information shall be provided by
2
electronic means where possible, unless otherwise requested by
the data subject.”
ii. Article 15(1) UK GDPR which states: “the data subject shall have
the right to obtain from the controller confirmation as to whether
or not personal data concerning him or her are being processed,
and, where that is the case, access to the personal data” and the
information described in Article 15(1)(a)-(h).
iii. Article 15(3) UK GDPR which states: “the controller shall provide
a copy of the personal data undergoing processing”.
1.3 The Trust confirmed that during the period between 01 March 2021 to
31 March 2022 (the “relevant period”), it had failed to respond to 32%
of Subject Access Requests (“SARs”) within the statutory timeframe of
one calendar month thereby infringing Articles 12(3), 15(1) and 15(3) of
the UK GDPR.
2. Background
2.1 The Trust is one of the biggest acute hospital trusts in England. The
Trust has three main hospitals serving a population of around 769, 474
people a year1. The Trust provides acute and specialist services to people
in Lincolnshire and neighbouring counties and primarily operates from
four hospital sites in Lincoln, Boston, Grantham and Louth. It has an
annual income of £740 million2 and approximately 9,136 employees3.
2.2 During the investigation, the Trust outlined its processes and
procedures for logging and managing SARs. It provided internal policy
1 Annual Report and Accounts for the year ended 31 March 2024, p. 8
2 Annual Report and Accounts for the year ended 31 March 2024, p. 9
3 Annual Report and Accounts for the year ended 31 March 2024, p. 70
3
and guidance documents relating to the management of SARs.
2.3 In addition, the ICO undertook a voluntary audit of the Trust between
29 November 2021 to 15 December 2021 and a follow-up audit in June
2023 which focused on the Trust’s compliance with the Governance and
Accountability and Data Sharing requirements of the UK GDPR and the
Data Protection Act 2018 (the “DPA 2018”).
3. The Commissioner’s Findings
Article 12(3) Article 15(1) and Article(3)
3.1 The Trust informed the Commissioner that during the relevant period,
it had responded to approximately 68% of incoming SARS within the one-
month statutory timeframe.
3.2 The Commissioner also considered further information provided by the
Trust during the investigation regarding deficiencies with its system for
logging and managing SARs.
3.3 For the relevant period and throughout the investigation, the Trust
stated that there were issues with the quality of data it had provided to
the Commissioner and it could not guarantee the accuracy of its
quantitative data.
3.4 Of most concern for the relevant period, was that the Trust was
unable to accurately account for the number of SARs in its backlog.
However, the Trust acknowledged that it had a large number of
outstanding SARs that were over one month old.
3.5 The Trust was unable to accurately demonstrate its compliance with
the requirements of Article 12(3), Article 15(1) and Article 15(3) UK
GDPR. In particular, the Commissioner noted that :
4
i. For the relevant period, the Trust was unable to confirm the
number of SARS to which the extended statutory timeframe of
three months applied in accordance with Article 12(3) UK GDPR.
In addition, the Trust was also unable to confirm how many SARs
had been responded to within this extended statutory timeframe.
The Trust confirmed in its responses dated 29 April 2021 and 15
September 2022 that its inability to provide this information was
because the Trust’s case management system did not have the
functionality to record this information.
ii. In a response dated 18 November 2022, the Trust advised that
the quantitative data it had previously provided in respect of the
relevant period was inaccurate because it included requests for
deceased individuals’ records. Recital 27 UK GDPR confirms that
the UK GDPR does not apply to the personal data of deceased
persons. Accordingly, such requests are not subject to the
requirements of Article 15 UK GDPR and should not have been
included in the quantitative data provided to the Commissioner.
iii. In the same response dated 18 November 2022, the Trust
confirmed that its previous case management system had not
been fit for purpose and had regularly failed, leading to issues
with the quality of the data. The Trust confirmed that it had
migrated to a new case management system between May 2022
to November 2022 but further work was required to ensure that
the system could provide the performance data required. The
Trust stated that although the accuracy of its quantitative data
had been improving, the accuracy of the SARs data provided to
the Commissioner in respect of the relevant period could not be
guaranteed.
iv. The Commissioner asked the Trust to provide fresh quantitative
5
data for two further compliance periods, from 01 December 2021
to 30 November 2022 and 1 April 2023 to 31 March 2024. The
Trust advised that there were still issues with its data quality and
that whilst it had been as accurate as possible, it could not
guarantee the quality of all the data disclosed and it was aware
of a number of ongoing issues.
v. In its final response dated 18 April 2024, the Trust confirmed
that it had concluded the procurement of a new solution in
March 2024 to support the management of the Trust’s Records
of processing activities (the “ROPA”) and provide a bespoke
SAR care management system.
vi. The Commissioner notes the Trust’s acknowledgement that a
lack of oversight and the resource provision for processing SARs
had not been addressed for several years. Notably during the
relevant period the Trust was still working primarily with paper
records and this presented a significant challenge for the Trust
when processing SARs. Handling paper records and preparing
them for disclosure was a time-consuming process and placed a
heavy burden on staff resource.
vii. This lack of oversight and resource was compounded by the
Covid-19 pandemic which led to resource prioritising and
redeployment of clinicians and difficulties in physically retrieving
the Trust’s records.
5. Remedial steps taken by the Trust
5.1 The Commissioner has considered and welcomes the remedial steps
taken by the Trust to address its SAR compliance and the backlog of
SARs. In particular, the development of an Information Asset
6
Management Strategy (IAMS) and the procurement of a bespoke system
to support the management of the ROPA which meets the requirements of
the NHS England Asset Register and provides better oversight of requests
via the SARs module.
5.2 The Commissioner also notes that: the Access to Records Policy has
been updated; formal staff training has been provided on SARs; and
additional staff have been recruited on a temporary basis.
5.3 The Trust are planning to digitise patient records in accordance with
NHS England’s Plan for Digital Health and Social Care4 which aims for all
integrated care systems and their NHS Trusts to have core digital
capabilities, including electronic health records, in place by March 2025.
However, the Commissioner recognises that this will be a significant
undertaking for the Trust.
5.4 Whilst the Trust continues to have a backlog of SAR cases, as a result
of the above remedial steps, the Commissioner notes that the backlog of
SAR cases is improving.
6. Decision to issue a reprimand
6.1 Taking into account all the circumstances of this cases, including the
remedial steps identified above, the Commissioner has decided to issue a
reprimand to the Trust in relation to the Infringements of Articles 12(3),
15(1) and 15(3) of the UK GDPR as set out above.
6.2 The Trust were invited to provide representations. On 11 December
2024 the Trust notified the ICO that it did not intend to make any
representations.
7. Further Action Recommended
4 A plan for digital health and social care - GOV.UK
7
7.1 The Commissioner has set out below certain recommendations which
may assist the Trust in rectifying the infringements outlined in this
reprimand and ensuring the Trust’s future compliance with the UK GDPR.
Please note that these recommendations do not form part of the
reprimand and are not legally binding directions. As such, any decision by
the Trust to follow these recommendations is voluntary and a commercial
decision for the Trust. For the avoidance of doubt, the Trust is of course
required to comply with its obligations under the law.
7.2 If in the future the ICO has grounds to suspect that the Trust is not
complying with data protection law, any failure by the Trust to rectify the
infringements set out in this reprimand (which could be done by following
the Commissioner’s recommendations or taking alternative appropriate
steps) may be taken into account as an aggravating factor in deciding
whether to take enforcement action - see page 11 of the Regulatory
Action Policy Regulatory Action Policy (ico.org.uk) and Article 83(2)(i) of
the UK GDPR.
7.3 The Commissioner recommends that the Trust should consider the
following steps to improve its compliance with UK GDPR:
(i) Adhere to the IAMS.
(ii) Complete and maintain the ROPA to ensure that it is
consistent with the requirements of Articles 30(1) and 30(2)
UK GDPR.
(iii) Respond to all outstanding SARs in the backlog in line with
Articles 12(3), 15(1) and 15(3) UK GDPR.
8
(iv) Respond to SARs within the relevant statutory deadlines to
ensure compliance with Article 12(3), 15(1) and 15(3) UK
GDPR.
(v) Continue to monitor SAR compliance, ensuring the
appropriate oversight by senior management.
(vi) Ensure that it has adequate staff resources and training in
place to process and respond to SARs, in line with Articles
12(3), 15(1) and 15(3) UK GDPR.
(vii) Consider any additional improvements that can be made to
the SARs handling process.
Dated 13 December 2024