Information Commissioner’s Office says it backs prison sentences for anyone abusing their position to access personal data unlawfully.
A nursing auxiliary has been fined for accessing a patient’s medical records without a valid legal reason, prompting the Information Commissioner’s Office (ICO) to reiterate calls for prison sentences.
Cwmbran Magistrates’ Court fined 61-year-old Marian Waddell of Newport £232 after she admitted accessing a patient’s records at Newport’s Royal Gwent Hospital.
She was also ordered to pay £150 costs as well as a £30 victim surcharge for breaching section 55 of the 1988 Data Protection Act.
Waddell accessed the records of a patient, who was known to her, on six occasions between July 2015 and February 2016 without a valid business reason and without the knowledge of the data controller, the Aneurin Bevan University Health Board.
David Teague, the ICO’s regional manager for Wales, said it is disappointing that people continue to get into serious trouble over behaviour that is easily avoidable.
“Staff training, and the publicity around previous cases of this nature, means that they really should know better,” he said, adding that anyone whose work allows them to access sensitive personal data must realise that this information is out of bounds unless they have a valid and legal reason for looking at it.
Mike Shaw, enforcement group manager and head of the ICO’s criminal investigations team, warned that anyone accessing personal data without a valid reason or without their employer’s knowledge is guilty of a criminal offence and will be prosecuted by the ICO.
“If found guilty, you will face a fine and possibly have to pay prosecution costs,” he wrote in a blog post. “The court case will likely be covered by local media and the details played out over the internet. Not only could you lose your job, but your future employment prospects could be irreparably damaged too.”
According to Shaw, so far this year the ICO has secured eight convictions against NHS employees who were caught prying into the medical records of patients, friends, colleagues or other people they knew, without a valid or legal reason.
“Of course, this issue is not unique to the NHS,” he said. “In 2017, we have also prosecuted cases involving employees in local government, charities and the private sector, the latter cases often involving an element of financial gain.”
Currently, section 55 offences can be punished only with a fine, and the nine convictions this year attracted fines and costs totalling more than £8,000.
“But in the future, we would like to see custodial sentences introduced as a sentencing option for the courts in the most serious cases,” said Shaw.
The ICO has long campaigned for custodial sentences for people convicted of accessing personal data unlawfully, especially for financial gain, under former information commissioners Richard Thomas and Christopher Graham, and now under current information commissioner Elizabeth Denham.
Source: Computer Weekly