Complaints Edinburgh council and NHS Lothian breached new data laws
RESIDENTS are claiming Edinburgh city council bosses are breaching their data rights at the rate of more than one-a-month, the Evening News can reveal.
Figures obtained from the Information Commissioner’s Office show there were 14 complaints against the authority in the last year.
The numbers are the first since General Data Protection Regulation laws were introduced on data protection and privacy for all individuals.
A council spokeswoman said: “As one of the largest local authorities in Scotland, we process a lot of personal data in order to deliver public services and fulfil our legal duties.
“We take our responsibilities under data protection very seriously and have policies, procedures, and training in place to ensure that any concerns reported to us are investigated fully and responded to appropriately.”
Half the complaints about the council were allegations it failed to handover personal information it held on individuals when asked.
Six of these led to concerns raised with or action required by the council’s relevant data controller - one resulted in no action.
Four more complaints related to concerns the council had disclosed personal data to a third party - three led to concern or action required.
A further complaint was made by someone believing the council to have unlawfully processed their personal data without their valid consent - leading to action required.
Health bosses were the subject of six complaints from patients during the same period, from July last year to last month.
They included two complaints relating to concerns NHS Lothian had disclosed personal data to a third party - one leading to compliance advice given and the other to concerns raised.
A further two related to allegations the body failed to handover personal information it held on individuals when asked.
One of these led ICO investigators needing a response from NHS Lothian’s relevant data controller while the other resulted in no action.
A further complaint was made by someone concerned their right not to be subject to automated decision making had been ignored, though no action was required.
Professor Alison McCallum, NHS Lothian’s Director of Public Health, Health Policy and Caldicott Guardian said: “NHS Lothian takes data protection very seriously.
“All staff are trained and aware they have a legal and contractual duty to keep personal data secure and confidential.
“If there was a suspected data breach, NHS Lothian would always undertake an investigation into what has happened and if required ensure measures are taken to correct actions or procedures.”
There were also three complaints against George Watson’s College during the year - two for an alleged failure to handover personal information it held on individuals when asked.
One of these led to compliance advice given and the other to investigators requesting a response from the relevant data controller.
The third complaint about the Merchiston independent school claimed unlawful processing of personal data without valid consent - leading to compliance advice given.
There was one complaint made against Hibs during the year over the handling of a request made to a data controller, resulting in action required.