In November 2017, The Daily Post reported that hundreds of North Wales health workers had been ‘caught snooping’ on their own medical records and those of family members.
The report goes on to detail the results of a Freedom of Information request made to Betsi Cadwaladr University Health Board. This revealed that staff members had accessed medical records of family members on 211 occasions between April 2016 and June 2017.
Monitoring for unauthorised access
Through the National Intelligent Integrated Audit Solution (NIIAS), NHS Wales actively monitors for a variety of types of unauthorised access to electronic health records, including if a staff member accesses their own record, the record of a family member, colleague or of a person living at the same address or neighbouring area. NHS Trusts are expected to log access to medical records and to audit such access, at least periodically.
Prosecutions of staff
Successful prosecutions for unlawfully obtaining personal data have been brought against NHS staff, members of the probation service and the police force. However, the Daily Post report is striking because of the scale of unauthorised access which appears to have occurred.
The offences set out in the Data Protection Act 1998 are punishable by the imposition of a fine. They are not recordable offences. The position is likely to change when that act is replaced in the coming months. If enacted in its current form, the Data Protection Bill would make such offences recordable offences which would be included on the Police National Computer (PNC). They will continue to be punishable by fine.
The practical consequences go beyond the imposition of a fine. Media reports of successful prosecutions demonstrate that in many cases, the conduct which led to prosecution has resulted in the loss of employment. For registered healthcare professionals it may also lead to regulatory sanctions.
Take home points
Healthcare workers should be aware of the possibility of criminal prosecution for unlawfully accessing patient records. When conducting or reviewing their data security arrangements, healthcare providers should look at access controls which mitigate the risk of unauthorised accessed of records by employees.