Hospital staff attempted to access Princess of Wales' medical records

A private hospital, the London Clinic, is under investigation after allegations emerged that staff had attempted to access the personal medical records of the Princess of Wales while she was being treated there. The news story, first reported in The Mirror, revealed that at least one staff member attempted to access Princess Kate's medical records while she was a patient at the hospital in January. In an updated article, The Mirror later confirmed that three members of staff at the clinic are being investigated over the alleged breach.  

In a statement, the Information Commissioner's Office (ICO) confirmed that it has received a report of a personal data breach and is assessing the information provided. 

While the ICO's official statement is limited in detail, The Guardian revealed on Wednesday that the regulator is investigating whether the London Clinic delayed its reporting of the alleged personal data breach under Article 33 of the UK General Data Protection Regulation (GDPR) beyond the permitted 72-hour period. 

The same article also includes a statement from Al Russell, Chief Executive at the London Clinic, who said, "Everyone at the London Clinic is acutely aware of our individual, professional, ethical and legal duties with regards to patient confidentiality. We take enormous pride in the outstanding care and discretion we aim to deliver for all our patients that put their trust in us every day." Russel went on to say, "We have systems in place to monitor management of patient information and, in the case of any breach, all appropriate investigatory, regulatory and disciplinary steps will be taken. There is no place at our hospital for those who intentionally breach the trust of any of our patients or colleagues."

Earlier in the day, The Guardian reported Maria Caulfield, Parliamentary Under Secretary of State at the Department of Health and Social Care (DHSC), confirmed that the Metropolitan Police Service (MPS) had been asked to investigate whether staff at the clinic attempted to access the Princess of Wales's medical records. Caufield added that "it's not acceptable to be looking at people's notes, but it has been spotted and action has been taken so people can be reassured that if it does happen – particularly with electronic notes these days, it's spotted pretty quickly if someone's accessing notes that they shouldn't be."

In comments given to Sky News, ICO Deputy Commissioner Stephen Bonner described such a breach as "very serious" but "thankfully very rare". However, he explained that when a breach occurs, the ICO first assesses the organisation to determine if it took reasonable steps to protect the information. If individuals are found to have misused the trust placed in them, the ICO can take action against them in criminal courts, although this would most likely result in a fine. Mr Bonner added that the vast majority of medical professionals take their obligations seriously, but there are occasionally a few who attempt to breach confidentiality for curiosity or other reasons, and it is these individuals that the ICO is committed to finding and stopping.

A blog article by Jon Baines for international law firm Mischon de Reya highlights the data protection implications following the data breach reports. In particular, the blog outlines that any investigation by the ICO is likely to consider whether an individual or individuals might have committed a criminal offence under Section 170 of the Data Protection Act 2018. 

A related story indicates there has been no indication that the King's personal medical records were accessed during his recent treatment at the same hospital.