Brian Sims
Editor
Brian Sims
Editor
A FORMER health advisor has been found guilty of accessing the medical records of patients without a valid legal reason for doing so. Christopher O’Brien, aged 36, was working at the South Warwickshire NHS Foundation Trust when he unlawfully accessed the records of 14 patients (who were known personally to him) between June and December 2019.
O’Brien accessed the records without a valid business reason for doing so and without the knowledge of the South Warwickshire NHS Foundation Trust. One of the victims said the breach left them worried and anxious about O’Brien having access to their health records, with another victim stating that the breach had dissuaded them from making any appointments to see their doctor.
When he appeared at Coventry Magistrates’ Court on Wednesday 3 August, O’Brien pleaded guilty to unlawfully obtaining personal data in breach of Section 170 of the Data Protection Act 2018. He was ordered to pay £250 compensation to 12 patients (ie an overall total of £3,000).
The Information Commissioner’s Office (ICO) has specific responsibilities as set out in the Data Protection Act 2018, the General Data Protection Regulation, the Freedom of Information Act 2000, the Environmental Information Regulations 2004 and the Privacy and Electronic Communications Regulations 2003. The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
Commenting on the case, Stephen Eckersley (the ICO’s director of investigations) stated: “This case is a reminder to people that, just because your job may give you access to other people’s personal information, and notably so sensitive data such as health records, that doesn’t mean you have the legal right to look at it. Such behaviour can be extremely distressing for the victims. Not only is it an invasion of their privacy, but it potentially jeopardises the important relationship of trust and confidence between patients and the NHS.”
Eckersley concluded: “I would urge organisations to remind their staff about their data protection and information governance responsibilities, including how to handle people’s sensitive data on a responsible basis.”