John W Nolan attached the list, containing the names of 4,000
AIDS patients and 2,500 others who are HIV positive, to a monthly
statistics report sent to hundreds of health workers. He realised
his mistake almost immediately and contacted the Department's IT
support.
Only 10 workers were found to have actually opened the e-mail, a
spokesman for the Department has said, and they have been warned
not to breach their confidentiality agreements. All copies of the
e-mail have now been removed from the network.
Investigations into the incident are continuing. According to
the Health Department's spokesman, Nolan may face disciplinary
action but not prosecution.
Shelagh Gaskill, a data protection expert with Pinsent Masons,
the law firm behind OUT-LAW.COM, explained how the issue might be
resolved if it occurred in the UK.
"In this country, the employer would be the data controller and
would in theory be liable in damages to each of the people on the
list for unlawful disclosure under the Data Protection Act and
breach of confidence," said Gaskill. "The damages would be limited
by the fact that only 10 people opened the e-mail and so long as
each of them was subject to a duty of confidentiality as a health
worker then the damages would be likely to be limited."
