The privacy watchdog is investigating whether the London Clinic delayed notifying it about claims staff attempted to access the Princess of Wales’s private medical records, the Guardian has learned.
Official guidance from the Information Commissioner’s Office (ICO) is that personal data breaches must be reported within 72 hours from the time of discovery if a risk is posed to an individual’s rights and freedoms.
The hospital is at the centre of claims at least one member of staff attempted to view Catherine’s medical records while she was a patient there for 13 nights in January. However, it is understood the ICO had not received an incident report more than a week after she was discharged on 29 January.
The ICO said it had now received a breach report and was “assessing the information provided”. A source said “timeliness of reporting” was part of its “ongoing” investigation into the London Clinic.
Staff at the hospital could face enforcement action, including fines and prosecutions, if they are found to have accessed the princess’s medical records, health minister Maria Caulfield said on Wednesday.
She said it was “pretty severe and serious stuff to be accessing notes that you don’t have permission to”. Police had also “been asked to look at” whether staff attempted to access Catherine’s private medical records, Caulfield added.
Under the Data Protection Act 2018, it is an offence to obtain, disclose or retain personal data without the consent of the data controller. The ICO can carry out criminal investigations and prosecute individuals where it believes an offence may have been committed.
Assessment of breach reports are typically carried out by its criminal investigation team, who will decide how or whether to proceed. This decision will include looking at whether there is sufficient evidence to support a prosecution and whether it is in the public interest to do so.
The London Clinic did not respond to a series of questions from the Guardian about the timeline of its reporting of the alleged breach to the ICO.
In a statement, it said “all appropriate investigatory, regulatory and disciplinary steps will be taken”.
The hospital’s chief executive, Al Russell, said: “Everyone at the London Clinic is acutely aware of our individual, professional, ethical and legal duties with regards to patient confidentiality. We take enormous pride in the outstanding care and discretion we aim to deliver for all our patients that put their trust in us every day.
“We have systems in place to monitor management of patient information and, in the case of any breach, all appropriate investigatory, regulatory and disciplinary steps will be taken. There is no place at our hospital for those who intentionally breach the trust of any of our patients or colleagues.”
Downing Street urged people to “get behind the Princess of Wales”, adding that there were “strict rules on patient data that must be followed”.
Catherine was admitted to the private hospital for abdominal surgery on 16 January.
Details of her condition have not been disclosed but Kensington Palace previously said it was not cancer-related and that the princess wished for her personal medical information to remain private.
The Mirror first reported that an investigation was launched at the hospital after at least one member of staff tried to access the princess’s notes while she was a patient there.
The allegations are the latest blow to hit Catherine, whose absence from public life over the past two months has led to wild conspiracy theories on social media about her whereabouts and health. The digitally altered Mother’s Day photograph of the princess and her children, which she admitted editing, compounded the problem.
Footage emerged of the princess out shopping with the Prince of Wales at the weekend at the Windsor Farm Shop close to their Adelaide Cottage home. The royal couple also spent Sunday morning watching Prince George, Princess Charlotte and Prince Louis taking part in a sporting event, according to the Sun.
Asked about the alleged breach, the prime minister’s official spokesperson said: “Clearly there are strict rules on patient data that must be followed.”
Caulfield said there could be “hefty implications” for accessing the notes without permission, including prosecution or fines. She said her understanding was that police had been contacted, although a Metropolitan police spokesperson said they were not aware of any referral to the force.
Kensington Palace said: “This is a matter for The London Clinic.”
The UK’s regulators of health workers said it would to act if appropriate.
The Health and Care Professions Council, which regulates health staff from 15 different professions including radiographers, physiotherapists and paramedics, said: “We cannot confirm whether or not a registrant is being investigated or a complaint has been made.
“The HCPC has a duty of confidentiality to both complainants and our registrants.”
The General Medical Council, which regulates doctors, said: “We will take appropriate action where those concerns pose a risk to patients or public confidence in the profession.”
The Nursing and Midwifery Council said its code was clear that all nurses, midwives and nursing associates “must respect people’s right to privacy and confidentiality”.