In a statement to OT, the GOC explained: “Our register is publicly available to search on our website. Because this information is publicly available, we allowed people to buy electronic copies of this information. Earlier this year, instead of sending out the data with practice information, we incorrectly shared the contact addresses of fully-qualified registrants with three organisations working within the optical sector. This data contained the home addresses of some registrants, if they had selected their home as their main contact address.”
In the statement, the regulator told OT: “We will be contacting all fully-qualified registrants (students and businesses were not affected) today to alert them and apologise for this mistake. We have requested that the organisations destroy the data that we shared so registrants do not need to take any further action.”
Apologising for the mistake, chief executive of the GOC, Samantha Peters, said: “We would like to reassure [registrants] that the data did not include any other sensitive data such as telephone numbers, email addresses, dates of birth, bank or credit card details, fitness to practise information, health information or demographic data about ethnicity, religion, sexual preference or other protected characteristics. The only piece of data that was sent in error was home addresses of registrants who previously selected this as their main contact address. The register on our website was not affected in any way.”
Ms Peters added: “We recognise that this error should not have happened. We are taking action to review our data security procedures and have put in place new internal checks to ensure that we do not make a mistake like this again. We have also ceased our facility for people to buy electronic copies of the register.”
In a later statement to OT, the GOC confirmed that of the three organisations which received the personal data, two of these, an education provider and a marketing company, used the data to contact registrants by post but only once and twice respectively. A High Street multiple also received the data but did not use it at all. All recipients have since deleted the data and confirm that it was not passed on to any third party.
In response to requests regarding the identity of the recipient organisations, the GOC stated: “We are currently considering these requests following principles of the Freedom of Information Act."
OT understands that the GOC has reported the incident to the Information Commissioner’s Office (ICO), the UK’s independent authority for upholding data rights, and to the Professional Standards Authority (PSA) which oversees the GOC as a regulator.
Regarding queries as to why the regulator shares data with external organisations, the GOC commented: “Because our register is publicly available, we have a legal responsibility to provide this in an accessible format on request. Due to the administration involved in processing these requests, we have previously charged external organisations to supply the data in this manner. We are reviewing our approach to sharing registrants’ data and in the meantime will not be charging for the supply of data.”
Responding to the announcement, the AOP’s chief executive, Henrietta Alderman, told OT:“We were concerned to hear about the GOC’s recent data error which will have impacted on some of our members. It appears that the GOC has acted swiftly to rectify the issue and to make sure it does not happen again. However, we will be making further enquiries with the GOC. If any AOP members are worried about the possible implications of the data error, we would encourage them to email the AOP’s legal team on firstname.lastname@example.org or contact the GOC.”