NHS employee fined for illegally checking on patient medical records

UK’s ICO issues stark reminder of backlash for privacy invasion

The Information Commissioner's Office (ICO) in the United Kingdom has issued a stark reminder and straight-to-the-point warning for all employees who might be tempted to snoop on others’ personal data.

The Information Commissioner’s Office (ICO) in the United Kingdom has issued a stark reminder and straight-to-the-point warning for all employees who might be tempted to snoop on others’ personal data.

The Information Commissioner’s Office (ICO) in the United Kingdom has issued a stark reminder and straight-to-the-point warning for all employees who might be tempted to snoop on others’ personal data.

In his blog post, ICO’s Enforcement Group Manager and Criminal Investigations Team head Mike Shaw delineated the whole gamut of repercussions that a privacy intruder may face after accessing others’ personal data without a valid reason or without their employer’s knowledge.

Such conduct “could lead to prosecution by the Information Commissioner’s Office and a day in court”.

There is more, however.

“If found guilty, you’ll face a fine and possibly have to pay prosecution costs. The court case will likely be covered by local media and the details played out over the internet. Not only could you lose your job, but your future employment prospects could be irreparably damaged too.”

“Careers and reputations can be destroyed over nothing more than simple nosiness or personal curiosity.”

Mike Shaw

The warning was issued in the wake of the latest cautionary tale involving snooping on patient medical records by a National Health Service (NHS) employee. Marian Waddell, 61, a nursing auxiliary at the Royal Gwent Hospital in Newport, Wales, has ‘faced the music’ for unlawfully accessing the personal data of a patient, who was also her neighbor, on six occasions between July 2015 and February 2016. In addition to a fine of £232, Cwmbran Magistrates’ Court has ordered her to pay £150 costs as well as a £30 victim surcharge for acting in breach of the Data Protection Act 1998.

Writing in the aftermath of Waddell’s penalty, Shaw went on to call for harsher consequences that such offences carry in the UK – on top of fines that can be meted out at present. “In the future, we would like to see custodial sentences introduced as a sentencing option for the courts in the most serious cases,” he wrote.

Waddell’s is the eighth case of a criminal prosecution that ICO has brought against NHS employees for breaching patient privacy this year.

Shaw noted how “extremely distressing” such prying into the health records of others can be for the victims. “Not only is it an invasion of their legally ensured fundamental right to privacy, it potentially jeopardises the important relationship of trust between patients and the NHS and can be damaging to the reputation of the health service as a whole,” he stated.

The ICO’s Regional Manager for Wales, David Teague, lamented the recurrence of the incidents. “It is disappointing that we continue to see people getting into serious trouble over behaviour which is so easily avoidable. Staff training, and the publicity around previous cases of this nature, means that they really should know better.”

The NHS itself has recently made it into infosec-themed headlines for other issues than reports of staff prying into the medical records of fellow citizens.

Discussion