Context
The ICO has published a statement in relation to the conclusion of a criminal investigation into the unlawful obtaining and disclosure of medical information to a third party without the consent of the data controller, related to a breach reported by the London Clinic in March 2024.
Key points to note and next actions
- Following a full assessment under the Code for Crown Prosecutors and the ICO’s Prosecution Policy, the ICO issued a now former healthcare professional from London with a formal caution in relation to an offence under the Data Protection Act 2018.
- The conduct involved the deliberate misuse of highly sensitive personal information and an offer to disclose it for financial gain, representing a clear breach of trust.
- The ICO considers the available evidence and the public interest in every criminal investigation. In this instance, the ICO concluded that a caution was the appropriate and proportionate enforcement response.
- The ICO also considered whether there were any wider organisational issues arising from the healthcare provision in this matter. Based on the evidence available, the ICO did not identify any failings that would meet the threshold for regulatory enforcement.