In light of its new approach to regulation of the public sector, the Information Commissioner’s Office (ICO) has issued a reduced fine of £78,400 to Tavistock and Portman NHS Foundation Trust for disclosing 1,781 email addresses belonging to adult gender identity patients.

Key Points
  • The 2019 breach happened as a result of the body’s failure to use the ‘bcc’ field in an email. Within 30 minutes of the mailing, a screenshot of the email was shared on social media including the email addresses of some of the people affected. The ICO also issued a reprimand to NHS Blood and Transplant Service, after it inadvertently released untested development code into a live system for matching transplant list patients with donated organs in August 2019. The error led to five adult patients on the non-urgent transplant list not being offered transplant livers at the earliest opportunity.
  • The Trust’s intention was to send a bulk email relating to an art competition to approximately 5,000 GIC patients. The distribution list was extracted from the Trust’s electronic patient record system using a specific set of search criteria which ensured recipients were active patients of the GIC and had consented to be contacted by email in certain circumstances. The output report produced from the system was then manually split into batches of around 1,000 addresses each.

More details are available via the web link below.


(Briefing note compiled from source material)

Action Required:

Audit Committees and Boards / Governing Bodies are advised to note the case and ensure all necessary precautions are taken when sending sensitive information.