Outcomes - Selected Case Summaries



Pharmacy gives prescription medicine to the wrong patient

Informal Resolution | 14 April 2021

A pharmacy provided one patient (“X”) with another’s (“Y”) medication which included Y’s name and other personal data. Patient X reported the issue to the pharmacy and to patient Y. The pharmacy seemed unaware of its obligations under the DPA and Y insisted that the incident be reported to us. After some delays, proper notification took place.

We found that the breach carried a risk of harassment or embarrassment but it was quickly contained. The Ombudsman recommended that the data controller develop a privacy notice and an internal data protection policy especially in the areas of data breach reporting, subject access requests and compliance with the data protection principles, and provide staff with training, to ensure compliance with the DPA.