A nursing home is facing an investigation into a “very serious” breach of data protection laws, after detailed personal information about its 36 disabled residents was apparently found in the street.
The four-page document contains the names of all 36 residents of Manor Hall, in Eastbourne, as well as their health conditions, mobility and personal care needs, dietary requirements, and even their end-of-life choices.
A member of the public, Michael Tobin, found the document in the street in Eastbourne, near a bin that had been knocked over.
He passed the information to the local Conservative MP, Caroline Ansell, and East Sussex County Council, and has also contacted the Information Commissioner’s Office (ICO).
A spokesperson for the home (pictured) said it was investigating what had happened, and that the matter had been passed to the council’s safeguarding team, but she declined to comment further.
Ansell told Disability News Service (DNS): “It’s very concerning these confidential documents were found on a street and we very much thank the member of public for coming to my office with them.
“They were kept securely by my staff and have now been handed over to the adult social care team at East Sussex County Council.”
Sean Humber, a partner at Leigh Day solicitors, who specialises in data rights issues, said it appeared to be a “very serious” breach of the law.
He told DNS: “I have acted in a range of different cases involving the disclosure, either deliberately or more usually in error, of people’s medical information without their knowledge or consent.
“This is a very serious data breach both in terms of the number of people affected and the very sensitive nature of the personal information involved.
“The matter needs to be reported to ICO, who will almost certainly wish to investigate the matter.
“It seems very likely to me that the nursing home will end up facing a significant fine for failing to keep their residents’ personal details secure.
“In addition, all those identified on the list are likely to have very strong claims for compensation against the nursing home for breach of the GDPR*/Data Protection Act 2018 and misuse of their private information.
“Given the sensitivity of the information, the compensation could be considerable.”
Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach unless it is unlikely to result in a risk to people’s rights and freedoms.
If an organisation decides that a breach doesn’t need to be reported, they should keep their own record of it, and be able to explain why it was not reported.
An ICO spokesperson said: “People have the right to expect that organisations will handle their personal information securely and responsibly.
“Where that doesn’t happen, people can come to the ICO and we will look into the details.
“When a data incident occurs, we would expect an organisation to consider whether it is appropriate to contact the people affected, and to consider whether there are steps that can be taken to protect them from any potential adverse effects.”
An East Sussex County Council spokesperson said: “Whilst we take any potential data breach seriously, and have been in contact with the nursing home, we are not in a position to comment further.”
A Care Quality Commission spokesperson said it was informed of the incident by the nursing home, which told the watchdog that it was “currently investigating”.
The spokesperson said care providers are required to maintain records securely, and have a duty to comply with the Data Protection Act and GDPR, although “we are aware this does still remain under investigation by the provider”.
He added: “We remain in close contact with the provider and await the outcome of the provider’s investigation into how this occurred, [and] what action they are taking in response.
“We will then consider what, if any, regulatory action is required.”
*The General Data Protection Regulation
A note from the editor:
Please consider making a voluntary financial contribution to support the work of DNS and allow it to continue producing independent, carefully-researched news stories that focus on the lives and rights of disabled people and their user-led organisations.
Please do not contribute if you cannot afford to do so, and please note that DNS is not a charity. It is run and owned by disabled journalist John Pring and has been from its launch in April 2009.
Thank you for anything you can do to support the work of DNS…
Coronavirus round-up: DWP, petitions committee, CQC… and cancellations
Errol Graham: Family begin legal action against DWP over man who starved to death
Letter shows ‘appalling’ DWP misled two watchdogs over benefit deaths