United Kingdom
Tavistock & Portman NHS Foundation Trust
GDPR enforcement action by Information Commissioner (ICO) on 2022-06-09.
Case details
- Authority
- Information Commissioner (ICO)
- Date
- 2022-06-09
- Controller / Processor
- Tavistock & Portman NHS Foundation Trust
- Sector
- Public Sector and Education
- Quoted Articles
- Art. 5 (1) f) GDPR, Art. 32 GDPR
- Type of violation
- Insufficient technical and organisational measures to ensure information security
Summary
The UK DPA (ICO) has fined the Tavistock and Portman NHS Foundation Trust EUR 91,000. The Tavistock and Portman NHS Foundation Trust is a mental health specialist trust located in London.
In early September 2019, the trust wanted to run a contest asking patients at the adult gender identity clinic to provide artwork to decorate a renovated clinic building. For this, two emails were inadvertently sent with an open distribution list (one to 912 recipients and the second to 869 recipients).
It was clear from the content of the email that all recipients were patients of the clinic. The trust immediately recognized the error and unsuccessfully attempted to recall the emails.
As part of its investigation, the IOC determined that the trust had no technical or organizational measures in place to prevent or mitigate this highly predictable human error. The ICO rated the harm to affected individuals as high given that information about the affected individuals' relationship with a gender identity clinic is very sensitive personal information.
Due to immediate implementation of security measures and extensive cooperation with the ICO, the fine was reduced from EUR 910,000 to EUR 91,00.
Related fines