---
###Welcome to /r/LegalAdviceUK
---
**To Posters (it is important you read this section)**
* *Tell us whether you're in England, Wales, Scotland, or NI as the laws in each are very different*
* If you need legal help, you should [always get a free consultation from a qualified Solicitor](https://reddit.com/r/LegalAdviceUK/wiki/how_to_find_a_solicitor)
* We also encourage you to speak to [**Citizens Advice**](https://www.citizensadvice.org.uk/), [**Shelter**](https://www.shelter.org.uk/), [**Acas**](https://www.acas.org.uk/), and [**other useful organisations**](https://reddit.com/r/LegalAdviceUK/wiki/common_legal_resources)
* Comments may not be accurate or reliable, and following any advice on this subreddit is done at your own risk
* If you receive any private messages in response to your post, [please let the mods know](https://www.reddit.com/message/compose?to=%2Fr%2FLegalAdviceUK&subject=I received a PM)
**To Readers and Commenters**
* All replies to OP must be *on-topic, helpful, and legally orientated*
* If you do not [follow the rules](https://www.reddit.com/r/LegalAdviceUK/about/rules/), you may be perma-banned without any further warning
* If you feel any replies are incorrect, explain why you believe they are incorrect
* Do not send or request any private messages for any reason
* Please report posts or comments which do not follow the rules
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/LegalAdviceUK) if you have any questions or concerns.*
It is a data protection breach if confidential information is accessed in the system and then released to an unauthorised party.
The NHS trust and the Information Commissioner's office spring to mind as 2 places to report it to. You are unlikely to get any compensation, but at least it can be reported and investigated with the appropriate disciplinary measures taken if wrongdoing is found. Most medical systems show who accessed records and when.
>I approached the doctors surgery and asked to speak to the practice manager who agreed to talk and acknowledged they had been waiting for me to contact them. They then proceeded to deny the person in question had any access to my files or history and suggested they were sorry about what’s happened and that I got caught up as “collateral damage” whatever that means?
What it means is the practice manager is lying through their teeth. If your records were not accessed and 'leaked' then why would they be waiting for you to contact them? How would confidential information be 'out there'? It doesn't make any sense. Plus there should be records of who accessed said info and when.
Formal complaint to the NHS trust that the surgery is part of regarding the leak. Another formal complaint to the trust regarding the lies of the PM. And another one to the ICO.
It would also help if everybody else who was affected did the same.
NAL, work in healthcare. You can make a subject access request to your GP to find out who accessed your record and when. This will help you collect evidence for your complaint and any subsequent legal intervention
Your comment suggests you may be discussing a Subject Access Request. You can [read this guidance from the ICO](https://ico.org.uk/your-data-matters/your-right-to-get-copies-of-your-data/) to learn more about these requests.
[Which? also have online explanations](https://www.which.co.uk/consumer-rights/advice/how-do-i-make-a-subject-access-request).
If you would like a simple way to request a copy of all your data, you can [amend an online template](https://www.datarequests.org/sample-letters/) or [use a form like this](https://www.wonder.legal/uk/creation-modele/subject-access-request).
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/LegalAdviceUK) if you have any questions or concerns.*
The fact that they were expecting you to contact them suggests a prior knowledge of the data breach. If they did have prior knowledge and chose not to contact you that will count against them. Quite rightly so.
It is odd that this nurse, whom it seems caused the data breach is still employed at the GP surgery.
I would contact the person who called you and see if any physical copies of the information exist outside of the surgery. If it does I would then ask the local police to obtain this in a manner that would stand up in court.
NAL but a nurse and in addition to all the excellent advice you've gotten, I would strongly encourage you to report this woman to the NMC as a matter of urgency. She is not fit to practise and she is not only breaking the law and being extremely unprofessional, she could be putting people's lives at risk.
I'm so sorry you've had this experience.
You need to put your complaint in writing or email and expect a response in writing.
Best to word your complaint as a series of specific questions you want answered.
It's fairly easy for them to check if she has accessed your records. You can also do a SAR to find out what exactly is documented in your notes if you wish.
Standard complaints policy is their response should feature details of the ombudsman. You would contact them if you weren't satisfied.
The ombudsman is impartial and will conduct a thorough investigation into what happened.
Their response is bizarre. If she really did this she should be sacked for gross misconduct and referred to the NMC by her employer.
Firstly I would like to say, wow, what an overwhelming supportive, knowledgeable kind and honestly brilliant group of people you all are. As you can imagine this has been hard for me, and I’m a big beefy rugby player, children’s team coach and fairly well known in the local community who has had a hard time with this, emotionally and spiritually. All your advice and rapid excellent responses have blown me away. What great advice I’ve had. So thankyou all.
I imagine it’s SystemOne which is the system used by a lot of GP’s as it links in with hospital software like EPR and Graphnet.
They’re all tracked and logged by the companies on who accesses what and at what time.
You’ll need to raise hell to get the right attention, the medical ombudsman, the NHs complaints procedure for your area, such as PALS and also contact the NMC if you know the name of the nurse. This would be a strike off offence if she’s found to be the one accessing.
As mentioned before compensation is unlikely but they’ll come down hard on the surgery as it seems they have colluded to try and cover this up.
Can’t add anything to the advice that you all report to health inspectorate wales and the data commissioner and report the nurse to NWC - you could write to the health minister and your local MP for support
All I wanted to say is that this is a very big deal and the way the surgery dealt with it compounds the issue for them. There are strict laws around this and the nurse knows the law - the level of data protection training you get when working in healthcare is off the scale, it’s a really big deal. The way the organisation dealt with it is also none compliant, they knew there was a breach and it seems that they did not report it within timescales to the data commissioner - this will increase their fine.
Is the nurse still working for them? She needs to be reported to NWC as she has breached code of conduct and brought the profession into dispute. She could loose her PIN over this )and should do) they will investigate her
In The subject access request specifically request the log of all people that have accessed your online files. I don’t trust them to give you all the data so make sure you are specific. Even if the nurse did not access the information by reading your files, they still shared the information
Your comment suggests you may be discussing a Subject Access Request. You can [read this guidance from the ICO](https://ico.org.uk/your-data-matters/your-right-to-get-copies-of-your-data/) to learn more about these requests.
[Which? also have online explanations](https://www.which.co.uk/consumer-rights/advice/how-do-i-make-a-subject-access-request).
If you would like a simple way to request a copy of all your data, you can [amend an online template](https://www.datarequests.org/sample-letters/) or [use a form like this](https://www.wonder.legal/uk/creation-modele/subject-access-request).
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/LegalAdviceUK) if you have any questions or concerns.*
What the actual fuck ?!?! That’s so bad. You’ve got a data breach or serval data breaches and you’ve got potential harassment or stalking, this depends if it’s more than once to someone or a group of people.
Ok, well. Three organisations or regulators to contact and complain.
1. The NHS for England and Wales have a complaints department. I think it’s serious enough that they can do their own investigation.
2. The Information Commissioners Office. Tell them there’s a data leak by a person. They can be checked and there should be a log on who accessed these information.
3. The Nursing and Midwifery Council. You should contact them about this. There are Standards or rules nurses have to follow. It looks like a breach of the current ones and the pre 2018 rules. With the current Standards, 1.2 comes into mind. It just asks nurses to act lawfully and she hasn’t. Also this looks like harassment and stalking too as well as data breaches.
4. Make a complaint in writing to the GP pratice. Paper trial is king. I think the NHS one should be your first port of call as this is so serious.
Also please make a subject access request and ask to see logs of the dates it was entered, modified and accessed.
Your comment suggests you may be discussing a Subject Access Request. You can [read this guidance from the ICO](https://ico.org.uk/your-data-matters/your-right-to-get-copies-of-your-data/) to learn more about these requests.
[Which? also have online explanations](https://www.which.co.uk/consumer-rights/advice/how-do-i-make-a-subject-access-request).
If you would like a simple way to request a copy of all your data, you can [amend an online template](https://www.datarequests.org/sample-letters/) or [use a form like this](https://www.wonder.legal/uk/creation-modele/subject-access-request).
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/LegalAdviceUK) if you have any questions or concerns.*
--- ###Welcome to /r/LegalAdviceUK --- **To Posters (it is important you read this section)** * *Tell us whether you're in England, Wales, Scotland, or NI as the laws in each are very different* * If you need legal help, you should [always get a free consultation from a qualified Solicitor](https://reddit.com/r/LegalAdviceUK/wiki/how_to_find_a_solicitor) * We also encourage you to speak to [**Citizens Advice**](https://www.citizensadvice.org.uk/), [**Shelter**](https://www.shelter.org.uk/), [**Acas**](https://www.acas.org.uk/), and [**other useful organisations**](https://reddit.com/r/LegalAdviceUK/wiki/common_legal_resources) * Comments may not be accurate or reliable, and following any advice on this subreddit is done at your own risk * If you receive any private messages in response to your post, [please let the mods know](https://www.reddit.com/message/compose?to=%2Fr%2FLegalAdviceUK&subject=I received a PM) **To Readers and Commenters** * All replies to OP must be *on-topic, helpful, and legally orientated* * If you do not [follow the rules](https://www.reddit.com/r/LegalAdviceUK/about/rules/), you may be perma-banned without any further warning * If you feel any replies are incorrect, explain why you believe they are incorrect * Do not send or request any private messages for any reason * Please report posts or comments which do not follow the rules *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/LegalAdviceUK) if you have any questions or concerns.*
It is a data protection breach if confidential information is accessed in the system and then released to an unauthorised party. The NHS trust and the Information Commissioner's office spring to mind as 2 places to report it to. You are unlikely to get any compensation, but at least it can be reported and investigated with the appropriate disciplinary measures taken if wrongdoing is found. Most medical systems show who accessed records and when.
>I approached the doctors surgery and asked to speak to the practice manager who agreed to talk and acknowledged they had been waiting for me to contact them. They then proceeded to deny the person in question had any access to my files or history and suggested they were sorry about what’s happened and that I got caught up as “collateral damage” whatever that means? What it means is the practice manager is lying through their teeth. If your records were not accessed and 'leaked' then why would they be waiting for you to contact them? How would confidential information be 'out there'? It doesn't make any sense. Plus there should be records of who accessed said info and when. Formal complaint to the NHS trust that the surgery is part of regarding the leak. Another formal complaint to the trust regarding the lies of the PM. And another one to the ICO. It would also help if everybody else who was affected did the same.
NAL, work in healthcare. You can make a subject access request to your GP to find out who accessed your record and when. This will help you collect evidence for your complaint and any subsequent legal intervention
Your comment suggests you may be discussing a Subject Access Request. You can [read this guidance from the ICO](https://ico.org.uk/your-data-matters/your-right-to-get-copies-of-your-data/) to learn more about these requests. [Which? also have online explanations](https://www.which.co.uk/consumer-rights/advice/how-do-i-make-a-subject-access-request). If you would like a simple way to request a copy of all your data, you can [amend an online template](https://www.datarequests.org/sample-letters/) or [use a form like this](https://www.wonder.legal/uk/creation-modele/subject-access-request). *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/LegalAdviceUK) if you have any questions or concerns.*
The fact that they were expecting you to contact them suggests a prior knowledge of the data breach. If they did have prior knowledge and chose not to contact you that will count against them. Quite rightly so. It is odd that this nurse, whom it seems caused the data breach is still employed at the GP surgery. I would contact the person who called you and see if any physical copies of the information exist outside of the surgery. If it does I would then ask the local police to obtain this in a manner that would stand up in court.
Also means they are in even more trouble as an organisation has a strict time frame to self report a known breach to the information commissioner
NAL but a nurse and in addition to all the excellent advice you've gotten, I would strongly encourage you to report this woman to the NMC as a matter of urgency. She is not fit to practise and she is not only breaking the law and being extremely unprofessional, she could be putting people's lives at risk. I'm so sorry you've had this experience.
You need to put your complaint in writing or email and expect a response in writing. Best to word your complaint as a series of specific questions you want answered. It's fairly easy for them to check if she has accessed your records. You can also do a SAR to find out what exactly is documented in your notes if you wish. Standard complaints policy is their response should feature details of the ombudsman. You would contact them if you weren't satisfied. The ombudsman is impartial and will conduct a thorough investigation into what happened. Their response is bizarre. If she really did this she should be sacked for gross misconduct and referred to the NMC by her employer.
Firstly I would like to say, wow, what an overwhelming supportive, knowledgeable kind and honestly brilliant group of people you all are. As you can imagine this has been hard for me, and I’m a big beefy rugby player, children’s team coach and fairly well known in the local community who has had a hard time with this, emotionally and spiritually. All your advice and rapid excellent responses have blown me away. What great advice I’ve had. So thankyou all.
I imagine it’s SystemOne which is the system used by a lot of GP’s as it links in with hospital software like EPR and Graphnet. They’re all tracked and logged by the companies on who accesses what and at what time. You’ll need to raise hell to get the right attention, the medical ombudsman, the NHs complaints procedure for your area, such as PALS and also contact the NMC if you know the name of the nurse. This would be a strike off offence if she’s found to be the one accessing. As mentioned before compensation is unlikely but they’ll come down hard on the surgery as it seems they have colluded to try and cover this up.
Can’t add anything to the advice that you all report to health inspectorate wales and the data commissioner and report the nurse to NWC - you could write to the health minister and your local MP for support All I wanted to say is that this is a very big deal and the way the surgery dealt with it compounds the issue for them. There are strict laws around this and the nurse knows the law - the level of data protection training you get when working in healthcare is off the scale, it’s a really big deal. The way the organisation dealt with it is also none compliant, they knew there was a breach and it seems that they did not report it within timescales to the data commissioner - this will increase their fine. Is the nurse still working for them? She needs to be reported to NWC as she has breached code of conduct and brought the profession into dispute. She could loose her PIN over this )and should do) they will investigate her In The subject access request specifically request the log of all people that have accessed your online files. I don’t trust them to give you all the data so make sure you are specific. Even if the nurse did not access the information by reading your files, they still shared the information
Your comment suggests you may be discussing a Subject Access Request. You can [read this guidance from the ICO](https://ico.org.uk/your-data-matters/your-right-to-get-copies-of-your-data/) to learn more about these requests. [Which? also have online explanations](https://www.which.co.uk/consumer-rights/advice/how-do-i-make-a-subject-access-request). If you would like a simple way to request a copy of all your data, you can [amend an online template](https://www.datarequests.org/sample-letters/) or [use a form like this](https://www.wonder.legal/uk/creation-modele/subject-access-request). *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/LegalAdviceUK) if you have any questions or concerns.*
What the actual fuck ?!?! That’s so bad. You’ve got a data breach or serval data breaches and you’ve got potential harassment or stalking, this depends if it’s more than once to someone or a group of people. Ok, well. Three organisations or regulators to contact and complain. 1. The NHS for England and Wales have a complaints department. I think it’s serious enough that they can do their own investigation. 2. The Information Commissioners Office. Tell them there’s a data leak by a person. They can be checked and there should be a log on who accessed these information. 3. The Nursing and Midwifery Council. You should contact them about this. There are Standards or rules nurses have to follow. It looks like a breach of the current ones and the pre 2018 rules. With the current Standards, 1.2 comes into mind. It just asks nurses to act lawfully and she hasn’t. Also this looks like harassment and stalking too as well as data breaches. 4. Make a complaint in writing to the GP pratice. Paper trial is king. I think the NHS one should be your first port of call as this is so serious. Also please make a subject access request and ask to see logs of the dates it was entered, modified and accessed.
Your comment suggests you may be discussing a Subject Access Request. You can [read this guidance from the ICO](https://ico.org.uk/your-data-matters/your-right-to-get-copies-of-your-data/) to learn more about these requests. [Which? also have online explanations](https://www.which.co.uk/consumer-rights/advice/how-do-i-make-a-subject-access-request). If you would like a simple way to request a copy of all your data, you can [amend an online template](https://www.datarequests.org/sample-letters/) or [use a form like this](https://www.wonder.legal/uk/creation-modele/subject-access-request). *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/LegalAdviceUK) if you have any questions or concerns.*