Doctors, dentists, psychoanalysts, psychotherapists and other healthcare professionals tempted to look at the medical records of members of their family or friends without a ‘business purpose’ should read with interest the latest warning issued by the Information Commissioner’s Office (ICO), namely that “NHS employees .. unlawfully accessing patient records [are committing] an offence”. The warning is equally applicable to those working in private healthcare settings and to other professionals who have access to personal data (broadly defined as being data that relates to a living individual who can be identified from it).
Maintaining patient confidentiality and complying with the Caldicott Principles is axiomatic for most healthcare professionals. Professionals will also likely appreciate the consequences from an employment or regulatory perspective (e.g. action being taken by the General Medical Council (GMC)) should they chose to transgress these ‘rules’. Few healthcare professionals will realise that it may be a criminal offence to obtain or disclose personal data (e.g. data within medical records) without the consent of the data controller. That means that having a sneaky look at the records of a friend to give them their test results early or other such behaviour could land professionals up in court facing a criminal prosecution brought by the ICO. Currently, the offences created under section 55 of the Data Protection Act 1998 may result in a financial penalty ‘only’ post-conviction. There is however an amendment waiting on the statute books to make the offence imprisonable. The ICO have brought five prosecutions in the last 18 months against individuals for accessing medical records without the appropriate consent. Criminal convictions often carry career limiting consequences and if you are in doubt about what records you are entitled to access, take advice.