What happened to Kate’s private medical records and what happens next?

A probe is underway into whether the Princess of Wales’s confidential medical notes were the subject of an attempted royal data breach.

Kate has had a difficult start to 2024, with abdominal surgery, the escalating conspiracies on social media about her health and whereabouts and the controversy over her digital editing of a Mother’s Day family photo.

Here is a look at the latest challenge facing the princess.

The Princess of Wales surgery
The Princess of Wales was seen out in public at the weekend following wild conspiracy theories on social media about her whereabouts following abdominal surgery (Jonathan Brady/PA)

– What happened to Kate’s medical records?

Unauthorised staff at the London Clinic, where Kate had abdominal surgery in January, allegedly tried to access the princess’s confidential medical records, according to the Daily Mirror.

The newspaper reported at least one worker attempted to look at the private notes.

London Clinic’s chief executive, Al Russell said “all appropriate investigatory, regulatory and disciplinary steps will be taken”.

Princess of Wales surgery
The London Clinic was also where the King was treated for his prostate enlargement (Lucy North/PA)

The King also had treatment at the private hospital for an enlarged prostate the same month.

– What has Kate said in response?

Nothing so far. Kensington Palace has declined to comment, other than saying: “This is a matter for The London Clinic.”

– What does the law say and can anyone access my medical records?

No. Under the Data Protection Act 2018, it is an offence for a person to obtain, disclose or retain personal data without the consent of the data controller.

– Who is looking into the allegations?

The UK’s privacy and data watchdog, the Information Commissioner’s Office (ICO).

Royal year 2023
Kate with royal family on the Palace balcony in June 2023 (Yui Mok/PA)

The ICO said: “We can confirm that we have received a breach report and are assessing the information provided.”

– What does the ICO do?

The ICO is an independent body set up to uphold information rights.

Last year, it dealt with almost 40,000 complaints about data protection, and more than 300,000 calls through its helpline.

An organisation must report misuse of personal data to the ICO if there is a risk to people’s rights and freedoms, which is often the case with sensitive medical information.

This must happen within 72 hours of becoming aware of the breach.

Royals attends Christmas Day Church service
Kate last made a public appearance on Christmas Day (Joe Giddens/PA)

– What powers does the ICO have?

It can carry out criminal investigations and prosecute individuals where it believes an offence may have been committed, and fine the person responsible in court.

Usually, an assessment of the breach report will be carried out by its Criminal Investigation Team, who will decide whether to proceed in accordance with the Regulatory Action Policy.

This decision includes looking at whether there is sufficient evidence to support a prosecution and whether it is in the public interest to do so.

– Can the princess also take action?

Yes. Kate also has the option of bringing a private prosecution with a civil action and also potentially claiming compensation.

Queen Elizabeth II funeral
The Princess of Wales following the State Gun Carriage carrying the coffin of Queen Elizabeth II in September 2022 (Mike Egerton/PA)

Kensington Palace declined to comment on whether this was likely.

– Is the Metropolitan Police investigating?

Health minister Maria Caulfield said police have “been asked to look at” the allegations, but a Metropolitan Police spokesman said he was not aware of any referral to the force.

The police have powers to investigate and they do bring prosecutions under the Data Protection Act, but normally when other offences are prosecuted at the same time such as fraud or money laundering.

– What sort of prosecutions has the ICO carried out in the past?

In 2023, the ICO prosecuted medical secretary Loretta Alborghetti who worked in the ophthalmology department at Worcestershire Acute Hospitals NHS Trust.

She accessed more than 150 people’s records including family and people who lived near her in Redditch, Worcestershire.

She pleaded guilty to unlawfully obtaining personal data in breach of Section 170 of the Data Protection Act 2018 and was ordered to pay a total of £648.

World Mental Health Day 2023
William and Kate on a joint engagement at a SportsAid mental fitness workshop in October (Aaron Chown/PA)

– Will Kate’s public role have an impact on the investigation?

Will Richmond-Coggan, data and privacy litigation partner at Freeths law firm, said Kate’s heightened profile will be a factor in any potential sanction.

“While any patient is entitled to the privacy of their medical records, the fact that a patient is in the public eye should be reflected in a heightened level of security and safeguards for their information,” he said.

“It will also be a factor in any sanction for a breach of such records.”