In 2008, RBKC chose to ignore basic principles of Confidentiality and what possible consequences this may bring, when re-hashing an email signature block of its Adult Social Care Department.
The block stated that the writer was a member of the ‘Physical Disabilities and HIV Team’, implying by ‘association’ that F may be ‘physically disabled and/or HIV+’ or both. In this context see the event at Soho HIV Clinic in September 2015, when the ICO decided that the recipients of the Clinic’s e-newsletter, could be thought to be HIV+ positive, causing them unwanted concern and distress.
To ensure that his personal information was handled in accordance with his wishes, on 4th May 2010 F issued an amendment to his ‘Information Sharing Agreement‘, which clearly instructed RBKC that his explicit written consent must be sought when it contemplated to disclose any of his personal information, including his HIV+ related details.
His amendment also included instruction that any reference to his HIV+ status should be deleted from his files.
Although F requested a confirmation of these instructions, RBKC chose not to do so. Although an amendment to F’s ‘Confidentiality Table‘ was made on 4th April 2010, one month before the actual submission on 4th May 2010. It may be considered to be a date error. No further action was taken. F no reason to assume that no action was taken. This turned out to be nothing but wishful thinking.
It transpired some year later that the amendment to his information was in fact a ‘Notice’ in line with paragraph 10 of the Data Protection Act 1990.
The ICO’s guidelines to his staff relating to paragraph 10 are clear what action should be taken; the onus to recognise the text as a ‘Notice’ falling squarely on the ‘Data Controller’, RBKC in F’s case. It can be assumed that although these guidelines would also apply to any other ‘Data Controller’.
Again, RBKC chose not to even acknowledge this Notice, let alone tell F, as they were obliged to do, whether they will remove the information, or tell him to what extent, or not all, they will remove the information, providing a credible reason for this.
Had F received a confirmation that the information would be removed, the matter would be closed. If not, F would have taken further advice and ensured that his instructions were complied with.
Although it might have be prudent, F was under no obligation to ‘follow-up’ on the matter. The onus was on RBKC to comply.
Therefore, RBKC is not only guilty of not only replying to F’s instructions, but also of violating the Data Protection Act by not replying at all. This is an offence.