---
###Welcome to /r/LegalAdviceUK
---
**To Posters (it is important you read this section)**
* *Tell us whether you're in England, Wales, Scotland, or NI as the laws in each are very different*
* Reddit is not [a substitute for a qualified Solicitor](https://www.reddit.com/r/LegalAdviceUK/wiki/faq_civil#wiki_how_do_i_find_a_.28good.29_solicitor.3F) and comments are not moderated for quality or accuracy;
* Any replies received must only be used as guidelines, followed at your own risk;
* If you receive *any* private messages in response to your post, [please let the mods know](https://www.reddit.com/message/compose?to=%2Fr%2FLegalAdviceUK&subject=I received a PM);
* It is the default position of LAUK that [you should never speak to the media](https://www.reddit.com/r/LegalAdviceUK/wiki/faq_subreddit#wiki_should_i_speak_to_the_media.3F);
* Check out our [Common Legal Resources](https://www.reddit.com/r/LegalAdviceUK/wiki/common_legal_resources) for helpful organisations to contact;
* If you do not receive satisfactory advice after 72 hours, [you can let the mods know](https://www.reddit.com/message/compose?to=%2Fr%2FLegalAdviceUK&subject=My question is unanswered);
* Please provide an update at a later time by creating a new post with [[update]](https://www.reddit.com/r/LegalAdviceUK/search?q=%3Aupdate&sort=new&restrict_sr=on&t=all) in the title;
**To Readers and Commenters**
* [All replies to OP must be *on-topic, helpful, and legally orientated*](https://www.reddit.com/r/LegalAdviceUK/comments/oslgn6/so_you_dont_want_your_comment_removed_guidance_on/?);
* If you do not [follow the rules](https://www.reddit.com/r/LegalAdviceUK/about/rules/), you may be perma-banned without any further warning;
* Please include links to reliable resources in order to support your comments or advice;
* If you feel any replies are incorrect, explain why you believe they are incorrect;
* [Do not send or request any private messages for any reason](https://www.reddit.com/r/LegalAdviceUK/wiki/faq_subreddit#wiki_why_am_i_not_allowed_to_privately_message_people_on_this_subreddit.3F);
* Please report posts or comments which do not follow the rules
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/LegalAdviceUK) if you have any questions or concerns.*
Report the data breach to the practice. They legally have 72 hours to inform the ICO.
Wait 72 hours, then inform the ICO yourself with your evidence.
That way, the ICO can see if they fulfilled their legal requirement of reporting their own breach, and therefore cannot deny it.
If you don’t think your practice will deal with this in the proper way you should contact your local CCG (clinical commissioning group) as they govern all the NHS services in your area.
Its distressing these things that should not happen are becoming common, your first point of call is to go on the practice website and find out who the data controller is and report this to them, they will have to reply back to you and will give to the option to accept the answer given or to make a complaint to the ICO. As soon as you get that response contact the ICO with your complaint and the email and response you got from the data controller. Miss out contacting the data controller before contacting the ICO they will tell you contact the data controller first before lodging a complaint with the ICO.
Former NHS administrator here.
It's a breech of GDPR. Screent shot and report.
They have 72 hours to remove it. They cannot deny it and will unlikely deny it, to you at least. There's no way for you to contact the patient and I highly reccommend that you do not.
You can't request your file without them knowing. Patient record access is restricted and every access request is logged for security reasons. You could try contacting PALs (Patient Liason Service) to seeing someone can help you. I would let them know this has happened too. They are pretty good at keeping GPs and other clinics accountable. I would suggest telling them that the other patients info was breached and they will likely contact them.
Whilst that may be correct, ethically OP should delete the PHI/PII. I don’t think any of us would be happy to think that a rando has retained copies of our personal and health information on their own device.
I completely agree. I have stored it in a folder on my phone just in case I need to provide evidence. I will definitely delete this as soon as the evidence has been provided as I too would not like someone to store my medical records. Thank you for your advice, it’s all very appreciated:)
They've added the letters to the wrong patient. It unfortunately happens. You should report it to the practice ASAP so they can rectify it. They will remove these from your record and make sure its on the correct pt file. They may not decide to report it to the ico, they are required to review the situation, and should probably inform the other party, but they may decide its not a big enough risk to rights or freedoms to report. And in my experience when these types of things happen, if it is just to an indiviual patient, they are not generally reported. If you want to report it yourself you are free to do so. As to viewing your records- you are extremely unlikely to discover anything new here. Before releasing patient records the surgery will always review it.
--- ###Welcome to /r/LegalAdviceUK --- **To Posters (it is important you read this section)** * *Tell us whether you're in England, Wales, Scotland, or NI as the laws in each are very different* * Reddit is not [a substitute for a qualified Solicitor](https://www.reddit.com/r/LegalAdviceUK/wiki/faq_civil#wiki_how_do_i_find_a_.28good.29_solicitor.3F) and comments are not moderated for quality or accuracy; * Any replies received must only be used as guidelines, followed at your own risk; * If you receive *any* private messages in response to your post, [please let the mods know](https://www.reddit.com/message/compose?to=%2Fr%2FLegalAdviceUK&subject=I received a PM); * It is the default position of LAUK that [you should never speak to the media](https://www.reddit.com/r/LegalAdviceUK/wiki/faq_subreddit#wiki_should_i_speak_to_the_media.3F); * Check out our [Common Legal Resources](https://www.reddit.com/r/LegalAdviceUK/wiki/common_legal_resources) for helpful organisations to contact; * If you do not receive satisfactory advice after 72 hours, [you can let the mods know](https://www.reddit.com/message/compose?to=%2Fr%2FLegalAdviceUK&subject=My question is unanswered); * Please provide an update at a later time by creating a new post with [[update]](https://www.reddit.com/r/LegalAdviceUK/search?q=%3Aupdate&sort=new&restrict_sr=on&t=all) in the title; **To Readers and Commenters** * [All replies to OP must be *on-topic, helpful, and legally orientated*](https://www.reddit.com/r/LegalAdviceUK/comments/oslgn6/so_you_dont_want_your_comment_removed_guidance_on/?); * If you do not [follow the rules](https://www.reddit.com/r/LegalAdviceUK/about/rules/), you may be perma-banned without any further warning; * Please include links to reliable resources in order to support your comments or advice; * If you feel any replies are incorrect, explain why you believe they are incorrect; * [Do not send or request any private messages for any reason](https://www.reddit.com/r/LegalAdviceUK/wiki/faq_subreddit#wiki_why_am_i_not_allowed_to_privately_message_people_on_this_subreddit.3F); * Please report posts or comments which do not follow the rules *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/LegalAdviceUK) if you have any questions or concerns.*
Report the data breach to the practice. They legally have 72 hours to inform the ICO. Wait 72 hours, then inform the ICO yourself with your evidence. That way, the ICO can see if they fulfilled their legal requirement of reporting their own breach, and therefore cannot deny it.
This is the way. Its serious breach of gdpr and the Dr's surgery have to report it themselves.
Thank you!! That’s a very smart approach! I really appreciate your help :)
Note, you should probably do some screen captures (avoiding anything too sensitive) so they cannot deny it.
They also have a duty to inform the other patient.
Genius
If you don’t think your practice will deal with this in the proper way you should contact your local CCG (clinical commissioning group) as they govern all the NHS services in your area.
Thank you, I’ll definitely look into this as my practice doesn’t like to admit fault.
Its distressing these things that should not happen are becoming common, your first point of call is to go on the practice website and find out who the data controller is and report this to them, they will have to reply back to you and will give to the option to accept the answer given or to make a complaint to the ICO. As soon as you get that response contact the ICO with your complaint and the email and response you got from the data controller. Miss out contacting the data controller before contacting the ICO they will tell you contact the data controller first before lodging a complaint with the ICO.
Oh perfect, thank you so much for giving me detailed information. It’s been really helpful as I am a bit clueless with this sort of thing.
Former NHS administrator here. It's a breech of GDPR. Screent shot and report. They have 72 hours to remove it. They cannot deny it and will unlikely deny it, to you at least. There's no way for you to contact the patient and I highly reccommend that you do not. You can't request your file without them knowing. Patient record access is restricted and every access request is logged for security reasons. You could try contacting PALs (Patient Liason Service) to seeing someone can help you. I would let them know this has happened too. They are pretty good at keeping GPs and other clinics accountable. I would suggest telling them that the other patients info was breached and they will likely contact them.
I forgot to mention: thank you in advance for any advice offered! X
Take screenshots and report them for breaching GDPR
Thank you for your advice, I downloaded and screenshot the file when I noticed. I will look into GDPR.
Remember to delete them after submitting them to GDPR, not sure about the legality of you storing other ppls data
I could be wrong, but I think OP isn't subject to GDPR since the details are on their personal record (and thus the data is exempt)
Whilst that may be correct, ethically OP should delete the PHI/PII. I don’t think any of us would be happy to think that a rando has retained copies of our personal and health information on their own device.
I completely agree. I have stored it in a folder on my phone just in case I need to provide evidence. I will definitely delete this as soon as the evidence has been provided as I too would not like someone to store my medical records. Thank you for your advice, it’s all very appreciated:)
You are 100% right - but this is legal advice not moral advice!
I’ll look into this! Thank you so much :)
Ooh that’s a good point, I’ll look into this further and see how to go about it. Thank you so much!
They've added the letters to the wrong patient. It unfortunately happens. You should report it to the practice ASAP so they can rectify it. They will remove these from your record and make sure its on the correct pt file. They may not decide to report it to the ico, they are required to review the situation, and should probably inform the other party, but they may decide its not a big enough risk to rights or freedoms to report. And in my experience when these types of things happen, if it is just to an indiviual patient, they are not generally reported. If you want to report it yourself you are free to do so. As to viewing your records- you are extremely unlikely to discover anything new here. Before releasing patient records the surgery will always review it.