The privacy watchdog is investigating whether the London Clinic delayed informing it of claims that staff tried to access the Princess of Wales’s personal medical records, the Guardian has learned.
Official guidance from the Information Commissioner’s Office (ICO) is that personal data breaches must be reported within 72 hours of discovery if they pose a risk to an individual’s rights and freedoms.
The hospital is at the center of claims that at least one staff member attempted to access Catherine’s medical records while she was a patient there for 13 nights in January. However, it is understood the ICO has not received an incident report more than a week after her dismissal on January 29.
The ICO said it had now received a breach report and was “assessing the information provided”. A source said “timeliness of reporting” was part of the “ongoing” investigation into the London Clinic.
Hospital staff could face enforcement action, including fines and prosecution, if they are found to have accessed the Princess’s medical records, Health Minister Maria Caulfield said on Wednesday.
She said it was “quite serious and serious to have access to notes that you don’t have permission to”. Police were also “asked to look” at whether staff tried to access Catherine’s personal medical records, Caulfield added.
Under the Data Protection Act 2018, it is an offense to obtain, disclose or retain personal data without the consent of the data controller. The ICO can conduct criminal investigations and prosecute individuals where it believes a criminal offense may have been committed.
The assessment of infringement reports is usually carried out by the criminal investigation team, who will decide how and whether to proceed further. This decision will include looking at whether there is sufficient evidence to support a prosecution and whether it is in the public interest to do so.
The London Clinic did not respond to a series of questions from the Guardian about the timeline of reporting the alleged breach to the ICO.
A statement said that “all appropriate investigative, regulatory and disciplinary steps will be taken.”
The hospital’s CEO, Al Russell, said: “Everyone at the London Clinic is acutely aware of our individual, professional, ethical and legal duties in relation to patient confidentiality. We are extremely proud of the excellent care and discretion we want to provide to all our patients who place their trust in us every day.
“We have systems in place to monitor the management of patient information and in the event of a breach, all appropriate investigative, regulatory and disciplinary steps will be taken. There is no place in our hospital for those who deliberately betray the trust of our patients or colleagues.”
Catherine was admitted to the private hospital on January 16 for abdominal surgery.
Details about her condition have not been released, but Kensington Palace previously said it was not cancer-related and that the princess wished her personal medical information to remain private.
The Mirror first reported that an investigation had been launched at the hospital after at least one staff member tried to access the princess’s notes while she was a patient there.
The allegations are the latest blow to Catherine, whose absence from public life over the past two months has led to wild conspiracy theories on social media about her whereabouts and health. The digitally altered Mother’s Day photo of the princess and her children, which she admitted was doctored, exacerbated the problem.
after newsletter promotion
Images emerged of the Princess shopping with the Prince of Wales at the Windsor Farm Shop, near their Adelaide Cottage home, this weekend. The royal couple also spent Sunday morning watching Prince George, Princess Charlotte and Prince Louis take part in a sporting event, the Sun reported.
Asked about the alleged breach, the Prime Minister’s official spokesperson said: “It is clear that there are strict rules regarding patient data that must be followed.”
Caulfield said there could be “significant consequences” for accessing the notes without permission, including prosecution or fines. She said she understood police had been contacted, although a Metropolitan Police spokesperson said they were not aware of any referral to the force.
Kensington Palace said: “This is a matter for The London Clinic.”
Britain’s healthcare regulators said they would take action if necessary.
The Health and Care Professions Council, which oversees healthcare workers from 15 different professions including radiographers, physiotherapists and paramedics, said: “We cannot confirm whether or not a registrant is under investigation or if a complaint has been made.
“The HCPC has a duty of confidentiality to both complainants and our registrants.”
The General Medical Council, which oversees doctors, said: “We will take appropriate action if these concerns pose a risk to patients or public confidence in the profession.”
The Nursing and Midwifery Council said the code was clear that all nurses, midwives and nursing assistants must “respect people’s right to privacy and confidentiality”.