Staines Health Group – Complaint Upheld (United Kingdom, 2025)

Staines Health Group (the controller) is a General Practitioner clinic. A patient (the data subject) requested their medical history from the last 5 years to be sent to their insurer by the controller. The controller allegedly disclosed 23 years of the data subject medical records to their insurer. The DPA found that the controller infringed Article 5(1)(c) UK GDPR, Article 5(1)(f) UK GDPR, Article 32 UK GDPR and Article 33 UK GDPR and issued a reprimand. Firstly, the DPA noted that the controller shared personal data that were not adequate, relevant and limited to what was necessary in breach of Article 5(1)(c) UK GDPR. Specifically, the DPA found that the controller transmitted the medical records of the past 23 years to the data subject’s insurer even though the request of the data subject referred only to the medical records of the last 5 years. Moreover, the DPA found that the controller did not ensure the appropriate security of the personal data processing by failing to ensure, among other things, the existence of written guidance for handling insurance requests, thus breaching Article 5(1)(f) UK GDPR and Article 32 UK GDPR. Finally, the controller did not contact the DPA within 72 hours of being aware of a data breach, in violation of Article 33 UK GDPR.