The Information Commissioner’s Office issued a formal caution after a former London healthcare professional misused catherine, princess of wales’s private medical records and offered to disclose them for financial gain. The case ended with a caution under section 170 of the Data Protection Act 2018, not a hospital enforcement action.
ICO and London Clinic
Ian Hulme, the ICO’s executive director for regulatory supervision, said people should be able to trust the personal information they give to healthcare settings. He added: “People should be able to trust that the personal information they’re giving to healthcare settings is safe and protected from exploitation.”
He also said: “When this trust is broken, it’s right that the law allows us to take action.” The ICO said it would not hesitate to pursue criminal prosecution where it is necessary and proportionate to do so.
March 2024 breach report
The London Clinic reported a breach in March 2024, and the ICO launched a criminal investigation into the unlawful obtaining and disclosure of medical information to a third party without the consent of the data controller. At the time of the breach report, at least one member of staff tried to access Catherine’s notes while she was a patient at the private hospital.
The Princess of Wales spent almost two weeks at the London Clinic in January 2024 after planned abdominal surgery, and cancer was discovered in postoperative tests the following month. The records involved belonged to a royal patient, but the ICO said the conduct was judged through the data protection framework, not through the status of the patient.
No hospital breach finding
The ICO said a caution was the appropriate and proportionate enforcement response. It also said it did not identify any failings that met the threshold for regulatory enforcement by the hospital, and a London Clinic spokesperson said: “There were no regulatory breaches by the hospital.”
The spokesperson also said: “We are pleased our work with the ICO has brought this sad and isolated incident to a conclusion.” For patients, the practical point is narrower than the headline: the case shows that misuse of medical records can lead to a formal caution even when regulators do not move against the hospital itself.
