A CITY medical practice did breach its data protection obligation after posting personal information about a former patient online, NHS England has ruled following a second review.

The medical authority initially found Severn Valley Medical Practice had not committed a breach when posting information relating to Andrew Brown on WhatDoTheyKnow.com (WDTK) as part of a Freedom of Information response.

However, it has now concluded, in light of further details from the Information Commissioner’s Office (ICO), there was a breach and has apologised.

In a letter to Mr Brown on January 19, Professor Kiran Patel, medical director NHS England, said: “We would like to offer our sincere apologies to you and to confirm that NHS England will conduct an internal investigation into the process undertaken to ensure that a similar situation does not reoccur.”

The director said previous information provided, including that of the data protection officer (DPO) of the practice “suggested that this was not a data breach.”

“We were also informed by the practice that this was the advice of the ICO,” he added.

We reported last year how the practice’s DPO, Paul Couldrey, had been warned by the Solicitors Regulation Authority (SRA) to stop claiming to be a qualified solicitor or he could face two years in prison.

In a number of circumstances, Mr Couldrey had described himself as such, including in emails and third party marketing material.

We can now reveal, Mr Couldrey also claimed in a document advertising a general data protection regulation workshop in May last year, that he had studied a Master of Law postgraduate qualification at Canterbury Christ Church College.

However, Robert Melville, assistant secretary at what is now Canterbury Christ Church University, confirmed the institution has never, in any of its forms, offered that course.

In a redacted 2018 CV, Mr Couldrey also claimed to have worked for a Meena & Co as a trainee solicitor, however, the SRA said it has no record of the company.

SW Healthcare, which recommended Mr Couldrey as DPO to Severn Valley and other county practices, has said being a solicitor is not a required qualification for the role.

The ICO itself confirmed in a letter to Mr Brown in October that the practice had “not complied with their data protection obligations.”

Lead case officer Catherine Hey also said the personal data was “inappropriately disclosed” and despite being quickly removed, was still a breach, with the ICO going on to order measures were put in place to prevent a repeat occurrence.

For more on this story see:

Medical practice officer given prison warning over fake solicitor claims

Severn Valley Medical Practice that hired fake solicitor ruled to have breached data protection