Skip to main content


Gender Identity Clinic faces privacy claims following ‘bcc’ data leak

The Tavistock and Portman NHS Foundation Trust has admitted accidentally sending an email containing the email addresses of nearly 2,000 patients receiving treatment at its Fulham Palace Road Gender Identity Clinic.  The email in question, sent on 6 September 2019, concerned an art competition, but was inadvertently “cc-ed” (open copied) to recipients, rather than “bcc-ed (blind copied), identifying them to each other as patients of the clinic.

In addition to any regulatory action taken by the Information Commissioner's Office ('ICO'), the Trust faces the prospect of individual claims for compensation from the individuals affected under the GDPR/Data Protection Act 2018, for the misuse of private information and/or breach of confidence.

In a statement on its website the Trust said:-

“This incident involved an email from our Patient and Public Involvement team regarding an art project that we are looking forward to launching. Unfortunately, due to an error, the email addresses of some of those we are inviting to participate were not hidden and therefore visible to all.

We are hugely apologetic and understand that this is a serious data breach. 

We can confirm we are reporting this breach to the Information Commissioner's Office as well as treating it as a serious incident within the Trust.”

The data leak is the latest in a series of highly-publicised damaging email blunders.  The Chelsea and Westminster NHS Foundation Trust was fined £180,000 by the ICO in May 2016 after its 56 Dean Street sexual health clinic sent an email newsletter to 781 patients receiving HIV treatment, disclosing their identities to each other (see our blog piece here).  In 2017, the University of East Anglia sent an email containing highly sensitive information relating to its student's welfare to 298 students, but escaped ICO sanction (see our blog here).  In 2018, the Independent Inquiry into Child Sexual Abuse (‘IICSA’) was fined £200,000 by the ICO after accidentally disclosing the identities of 90 victims of sexual abuse who had signed up via its website (see our blog piece here).


Click here if you require more information on how Brett Wilson LLP privacy solicitors can assist you if your privacy has been breached.


Legal Disclaimer

Articles are intended as an introduction to the topic and do not constitute legal advice.