The privacy watchdog is investigating whether there was a delay in notifying the London Clinic of a claim in which staff attempted to access the Princess of Wales’s personal medical records, The Guardian has revealed.
Official guidance from the Information Commissioner’s Office (ICO) states that if a personal data breach poses a risk to the rights and freedoms of individuals, it must be reported within 72 hours of discovery.
The hospital is at the center of allegations that at least one staff member attempted to view Duchess Kate’s medical records during her 13-night stay in January. However, it is understood the ICO did not receive any incident reports for more than a week after she was discharged from hospital on January 29.
The ICO said it has now received a breach report and is “assessing the information provided”. Officials said the “timeliness of the report” was part of an “ongoing” investigation into the London Clinic.
Health Minister Maria Caulfield said on Wednesday that hospital staff could face enforcement action, including fines and prosecution, if they were found to have accessed the princess’s medical records.
“Accessing notes without authorization is a pretty serious and serious situation,” she said. Police were also “asked to investigate” whether staff had attempted to access Catherine’s personal medical records, Mr Caulfield added.
Under the Data Protection Act 2018, it is a criminal offense to obtain, disclose or retain personal data without the consent of the data controller. The ICO can carry out criminal investigations and prosecute individuals where it believes a crime may have been committed.
The evaluation of a breach report is typically performed by a criminal investigation team to determine how or whether to proceed with an investigation. This decision includes considering whether there is sufficient evidence to support prosecution and whether it is in the public interest to do so.
The London Clinic did not respond to a series of questions from the Guardian about its timeline for reporting alleged ICO breaches.
“All appropriate investigative, regulatory and disciplinary actions will be taken,” the company said in a statement.
Al Russell, CEO of the hospital, said: “Everyone at the London Clinic is acutely aware of our personal, professional, ethical and legal obligations regarding patient confidentiality. We take great pride in the exceptional care and discretion we aim to provide.
“We have systems in place to monitor the management of patient information and all appropriate investigative, regulatory and disciplinary actions will be taken in the event of a violation. There is no place for anyone who knowingly betrays the trust of their colleagues.”
Duchess Kate was admitted to a private hospital on January 16th for abdominal surgery.
Details of the Duchess’s medical condition have not been disclosed, but Kensington Palace previously said it was not cancer-related and that the Duchess had preferred not to make private medical information public.
The Mirror first reported that an investigation had been launched at the hospital after at least one member of staff attempted to access the princess’s notes while she was in the hospital.
The allegations are the latest blow to hit Duchess Kate. Duchess Kate has been away from public life for the past two months, sparking conspiracy theories on social media about her whereabouts and health. The problem was made worse when a Mother’s Day photo of the princess and her children, which she admitted to editing, was digitally altered.
After newsletter promotion
Over the weekend, footage emerged of the Princess shopping with the Prince of Wales at Windsor Farm Shops, near her home in Adelaide Cottage. The Sun reports that the royal couple also spent Sunday morning watching Prince George, Princess Charlotte and Prince Louis attend sporting events.
Asked about the alleged breach, the Prime Minister’s official spokesperson said: “There are clearly strict rules around patient data that must be followed.”
Mr Caulfield said accessing notes without permission could have “serious consequences” including prosecution and fines. She said she understood police had been contacted, but a Metropolitan Police Department spokeswoman said she was not aware of her referral to police.
Kensington Palace said: “This is a London Clinic matter.”
Britain’s Healthcare Professionals Regulatory Authority said it would act if necessary.
The Health and Care Professions Council, which regulates medical staff in 15 different professions, including radiographers, physiotherapists and paramedics, says: ‘Check to see if a registrant has been investigated or if a complaint has been lodged. I can’t do that.”
“HCPC has a duty of confidentiality to both complainants and registrants.”
The General Medical Council, which regulates doctors, said it would “take appropriate action where these concerns pose a risk to patients or public trust in the profession.”
The Nursing and Midwifery Council said its code is clear that all nurses, midwives and nursing assistants “must respect people’s rights to privacy and confidentiality”.
