A medical General Practitioner (‘GP’) who operated his practice from his own home was moving work premises. The GP stated they had 4000 patients attending the practice over time and operated both digital storage and paper files. The GP engaged a local delivery van to transport the paper medical files connected with the practise. The medical files were put into boxes and placed in the private delivery van. 

The breach was discovered during a system audit which followed the move. A box containing medical files, which had been transported, was missing. The van driver confirmed that he had deposited all the boxes in the reception area of the new premises. The GP reported the loss of the box of files to the local Garda Station. It was established that the box, which contained over 2000 medical files, could not be located and the GP confirmed that there was no backup of these records. The missing files related to medical diaries and timesheets, vaccination records and clinical records pertaining to the assessment and treatment of private patients. 

The DPC engaged with the GP and established that the GP did not intend to notify affected individuals. The GP advised that he was liaising with the HSE on the matter and that they had aligned their practises with the HSE policy on record keeping (HSE Standards and Recommended Practices for Healthcare Records Management, QPSD-D-006-3 V3). The GP initially stated that the risk was low as the missing data was not incomplete. 

Following further engagement, the DPC drew the GP’s attention to the obligations under Article 34 of the GDPR to notify the affected individuals without undue delay. Following this engagement, the GP confirmed that he had sent a notification to every affected patient or minor patient’s parent or guardian by either email or by postal letter. 

The personal data in question encompassed both Article 4 and 9 GDPR. Some of the personal data included names, address, dates of birth, PPSNs and vaccination details. 

The GP engaged with the HSE on the management of medical records. New measures have since been introduced by the GP to digitise the remaining medical records held. 

In line with the obligations set out under Article 5(1)(f) GDPR and Article 32 GPDR to implement appropriate technical and organisational measures appropriate to any risk, practical steps such as having an individual in attendance to receive any medical records being transported have also been introduced. 

It was noted that the GP had operated from their home for over 20 years and while he used secure filing cabinets, appropriate measures were not taken when transporting the files. 

The DPC engaged with the GP and issued recommendations regarding the GP’s obligations as a controller under Article 24 GDPR and directed him towards the guidance provided on the DPC Website. The DPC further referred the GP to the data protection guidance published by the Irish College General Practitioners (ICGP).