Trust apologises for GDPR breach

by Neil Hallows

A trust has apologised to a surgeon after it released his name to the media without advance warning, in a breach of data-protection rules.

Location: England
Published: Monday 9 November 2020
hospital corridor

St George's University Hospitals NHS Foundation Trust in London had its trainees removed by Health Education England in 2018 after what was reported in the media as a dispute between clinicians and management.

The trust was cited in the piece naming two surgeons as those who led the trainees’ supervision – leading readers to draw the false inference that the surgeons were connected with the problems which faced the unit.

One of them was consultant cardiac surgeon Justin Nowell, who contacted the BMA for help. The BMA took legal advice and concluded that there may have been a breach of GDPR (General Data Protection Regulation).

Following an unsatisfactory grievance process, Mr Nowell reported his concerns to the ICO (Information Commissioner’s Office).

The ICO said St George’s had not complied with its data-protection obligations ‘because of a lack of fairness and transparency’.

The ICO said people have the right to know how their personal data was going to be used. While releasing the name and job title of a doctor was not an infringement in itself – the information already most likely being in the public domain – the trust should have given Mr Nowell a ‘privacy notice’ to tell him what it was going to do with his data.

The ICO also said the trust’s data protection and confidentiality policy had not been updated in the light of new legislation, and that there were gaps in policy documents.

Procedure failure

More than two years after the trust used Mr Nowell’s name in the media report, it has issued a statement jointly with the surgeon which aims to bring some resolution to the matter.

The statement also apologises to Mr Nowell for excluding him from his employment for a period in August 2018.

It says: ‘On 9 August 2018, the trust excluded Mr Nowell from his employment within the cardiac surgery unit of the trust.

‘The exclusion did not relate to patient-safety concerns or to Mr Nowell’s skills or competence. In excluding Mr Nowell, the trust accepts that it failed to correctly follow its internal procedures and the trust apologises for any distress caused to Mr Nowell by this decision. The trust lifted Mr Nowell’s exclusion on 29 August 2018 and no further action was taken.

‘In September 2018, unrelated to his exclusion, the trust released information to the HSJ (Health Service Journal) which was subsequently published. Whilst the trust considered that it acted properly in disclosing this information as it was correct and in the public domain, the trust did not notify Mr Nowell in advance of the disclosure.

‘The trust acknowledges that its actions did not meet the transparency principles under [GDPR]. The trust apologises to Mr Nowell for any infringement of his data-protection rights and for any distress this caused him.

‘The trust has reviewed and updated its privacy statements and relevant training and guidance for the processing of staff data as part of its wider organisational learning and improvements.

‘The trust has learned from these events and since 2018 has taken steps to improve its systems and processes.

‘Mr Nowell and the trust are committed to working together to ensure the future success of the cardiac surgery unit.

‘Mr Nowell and the trust have entered into a private settlement in relation to these matters, the terms of which are confidential.’

Reputation tarnished

Mr Nowell was unable to make any further comment regarding the outcome of the case. Last year, in an interview with The Doctor, he said: ‘The original disclosure [by the trust] caused much distress to me and my family. My reputation has suffered.’

In the interview he also paid tribute to BMA senior employment adviser Mark Briggs who helped him navigate through the process. Mr Briggs said he was happy that the matter was resolved.

He said: ‘I am pleased that Mr Nowell has finally been able to draw this matter to its rightful conclusion. The trust has now accepted that it was at fault. We were very concerned about the use of Mr Nowell’s name being wrongly associated with the content of the article in the HSJ but just as importantly how the trust had gone about providing information relating to a member of staff to an external organisation with considerable influence in the NHS. This was potentially very damaging and Mr Nowell was not even consulted. 

‘We are reminded that we had to go through the entire grievance procedure within the trust and beyond for the complaint to be upheld, which emphasises the importance of having BMA assistance to ensure people are treated fairly.’