NHS Fife shared unredacted personal data to Scottish Government without consent

Proceedings at a Scottish Employment Tribunal between nurse Sandie Peggie and NHS Fife have raised serious concerns about the disclosure of highly personal data. The dispute involves private matters between Peggie and trans doctor Beth Upton, which were subsequently exposed in the public domain.

The controversy arose after The Herald obtained confidential documents via a Freedom of Information (FOI) request. These documents show NHS Fife briefed Scottish Government ministers on the progress of the underlying disciplinary process and contained unredacted personal data about Ms Peggie, including references to her occupational health appointments and internal employment matters.

Peggie's solicitor has written to NHS Fife demanding an explanation for the disclosure of her personal data to third parties without her consent and without redaction, arguing that it breaches her privacy. 

In a LinkedIn post, data protection specialist Jon Baines questioned how the disclosure of this unredacted information to both the Scottish Government and, subsequently, to the media via FOI could be justified under data protection law, as it is likely to contravene the first data protection principle. 

Baines wrote that while, "paragraph 5 of schedule 2 to the Data Protection Act 2018 permits disclosure of personal data, in circumstances where it would otherwise be unlawful, where the disclosure is necessary for the purposes of legal proceedings, and while disclosure to the media is not absolutely barred by section 38 of the Freedom of Information (Scotland) Act 2002, I cannot see a) how the paragraph 5 "necessity" would be met, nor b) how disclosure under FOISA would not contravene the first data protection principle (at least)."

£ - This article requires a subscription. 

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses are available at foundation and practitioner levels and cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.