The Information Commissioner’s Office (ICO) has fined an NHS Trust employee for unlawfully accessing patients’ records. The staff member accessed the personal health information of 14 patients who he knew personally between June and December 2019. However, he did not have a valid business reason and did not let the Trust know.
According to the Data Protection Act 2018, it is an offense for a person knowingly or recklessly to obtain or disclose personal data without the consent of the controller. In this case, as the employee did not let the Trust know he has violated the law.
It was reported that one of the victims said the breach left them worried and anxious about the employee having access to their medical record. While another said it had put them off from going to their doctor. Stephen Eckersley, ICO Director of Investigations, stated this case should serve as a reminder that while a job may give you access to other people’s information, it doesn’t give you the right to look at it. He said it can be distressing for victims and is an invasion of their privacy. He also said, “it potentially jeopardises the important relationship of trust and confidence between patients and the NHS”.
The employee pleaded guilty to unlawfully obtaining personal health information when he appeared in court. He has been ordered to pay £250 compensation to 12 patients, totalling £3,000 ($3,532.00 USD).
Stephen Eckersley also urged organisations to remind their staff about their data protection and governance responsibilities, “including how to handle people’s sensitive data responsibly”.
Value Privacy can perform a comprehensive privacy health check for your business. Within that we can make sure that your data protection policies and procedures are up to scratch. Contact us to find out how we can help to make your business a totally secure and trustworthy organization.