Employee illegally accesses medical records: what can we learn?
The Information Commissioner’s Office (“ICO”) – the UK supervisory authority, has fined a former NHS secretary for illegally accessing medical records pertaining to 156 patients.
Rhiannon Hastings, data protection paralegal in our commercial team, summarises the case and advises how businesses can ensure their personal data remains secure.
The case
In June 2019, a patient of Worcestershire Acute Hospitals NHS Trust raised a complaint with the ICO after concerns their medical records were accessed by an employee who didn’t have the authority to access such information.
The ICO investigated the complaint and concluded the employee had accessed the patient’s, and 155 other patients’, medical records without obtaining consent from the patient, or having a business need to access it.
As part of the investigation, the ICO concluded the employee only had authority to access medical files within her respective department (Ophthalmology) but the medical records pertaining to the 156 patients we medical records held by another department.
This resulted in a £648 fine payable by the employee.
How can organisations ensure the personal data it collects is kept secure?
Organisations are required to protect personal data from unauthorised processing – including from its own staff. This is in line with an organisation’s obligation to ensure integrity and confidentiality (Article 5(f) UK GDPR).
One way of doing this is by implementing appropriate data protection training to staff who handle personal data. For example:
- Reminding staff of their data protection responsibilities to support the organisation’s compliance with data protection legislation;
- Explaining what information (and personal data) they don’t have access to;
- Explaining what to do in the event the staff member receives personal data they shouldn’t have access to; and
- Setting out the process in managing a personal data breach.
Another measure which is useful is setting password protections or restricting access to certain documents and folders to staff members who have a business need to know the contents of the document and personal data.
Confidentiality clauses are also useful to include in employment contracts, providing organisations with a declaration from the staff member confirming they won’t misuse or share any confidential business data to unauthorised persons.
To find out more concerning this fine, please take a look at the ICO website.
For more information on this and other data protection matters, please contact Rhiannon using: [email protected].
Potentially yes – should a data breach arise from an employee’s failure to follow the policies and procedures and employer has put in place (such as a data protection policy), this may form the grounds for disciplinary action. Repeated breaches, or a significant breach capable of constituting gross misconduct, could lead to the employee’s dismissal following a fair disciplinary process as required. However, without a policy in place which sets out these potential repercussions, an employer is likely to struggle to fairly discipline or dismiss an employee for a data breach.
As the likely data controller, employers are subject to strict and stringent requirements from the ICO, and risk facing harsh penalties should they not be followed. Although the ICO may pursue employees directly for breaching data protection legislation, an employer will be vicariously liable for the actions of their employee where the employee is acting “in the course of their employment” or to further the employer’s business.
Both employers and employees may face prosecution from the ICO for unlawful processing (including data breaches) which could result in monetary penalties.