In response to a number of queries, I am writing to all practices to outline the current position.
CNSGP
CNSGP has a very limited role in providing indemnity for data breach issues for GP practices, however, CNSGP will cover breaches of duty of care negligence claims provided:
“The claim is one for personal injury or loss arising from a negligent act on the part of the GP practice/contractor or member of staff which may, for example, have resulted in wrongful disclosure of personal data.”
Because of the way in which claims can be phrased by solicitors assuming if a complaint cannot be addressed, by normal explanation and, if appropriate, apology, it is worthwhile asking NHS Resolution in all cases. CNSGP does not, however, cover, for example, claims related to a breach of data protection legislation or misuse of private information.
This document outlines types of work carried out by general practice staff and whether or not it is covered by the Clinical Negligence Scheme for General Practice (CNSGP).
Indemnity Organisations (MDU, MPS, MDDUS)
The IOs will not normally provide indemnity for any aspect of data breaches.
Practice Public Liability Insurance Policies
Some practice insurance policies do provide cover for data breach claims, sometimes as requested, sometimes included as incidental cover colleagues may not have originally requested or been made aware existed. As this represents a useful source of cover, it is worthwhile checking with your current insurer(s) to see if this cover is included as part of your policy.
Commercial Data Protection Insurance
This is an increasingly competitive area, but few companies specialise, only in General Practice/NHS claims; currently the LMC is not able to recommend a range of providers.
In all cases it is unlikely any insurance will cover fines that may be imposed by, for example, the ICO or Ombudsman.
The commonest types of claims are:
- Releasing medical information, including test results, to a patients relative or representative without first ensuring patient consent.
- Sending [including emailing] medical information to the wrong recipient or address
- Leaving medical records in a public place, or losing them
- Employees accessing patients’ medical records without valid reasons for doing so.
The Information Commissioner does not require all personal data breaches to be reported, it depends on the circumstances of the case, and there is an ICO self-assessment tool to assist in deciding this point, available at: Self-assessment for data breaches | ICO
Even if no report is made, practices should treat the breach as a significant incident/event and undertake an assessment, particularly considering what steps might be taken, for example in terms of training or procedures, to avoid a recurrence. Even if a data breach is reported to the ICO, their most likely response will focus on the steps a practice has taken in terms of informing the individual(s) involved and in managing the cause of the breach. As colleagues will appreciate, although obviously deliberate breaches can be difficult to guard against, in most cases simple steps, for example testing recipient emails or ensuring privacy when discussing patient information can avoid many instances
Dr Julius Parker, Chief Executive