The Information Commissioner’s Office (ICO) has been clear in reminding NHS staff about the potentially serious consequences of accessing patient records without valid reason.
Patient confidentiality is central to everyday work for healthcare professionals. Whilst many will be aware of the consequences of breaching patient confidentiality, few professionals are aware of the potential criminal offence committed in obtaining or disclosing personal data without the consent of the trust.
Data contained within medical records constitutes personal data and accessing such information without valid reason can constitute not only a breach of patient confidentiality, but also a breach of the Data Protection Act (DPA) 1998.
In August a former healthcare assistant was ordered to pay nearly £2,000 in fines and costs after pleading guilty to offences of unlawfully obtaining and unlawfully disclosing personal data. It was established that in her role as a healthcare assistant she had accessed the health records of 29 people, including family members and colleagues, and had subsequently shared some of that information. The fines covered not only the offence of obtaining personal data, but also the offence of the onward disclosure of that personal data.
In that case the ICO made it clear that patients are entitled to have their privacy protected. Professionals who work on a daily basis with such sensitive data cannot abuse their position to enable them to access, or share, personal data as they wish.
Indeed, following this particular case the head of enforcement at the ICO warned, ‘once again we see an NHS employee getting themselves into serious trouble by letting their personal curiosity get the better of them’.
In a very recent case a former NHS data co-ordinator was prosecuted for accessing sensitive medical records of colleagues and individuals that she knew from her local area, without the consent of the data controller. She pleaded guilty to the offence and was fined. Again she was ordered to pay the prosecution costs and a victim surcharge.
It is important to bear in mind that the ICO has for some time now sought the introduction of custodial sentences for breaches of Section 55 DPA 1998. The ICO’s warning was directed at NHS employees, but will apply also to those working in a private healthcare setting and indeed to other professionals who have access to personal data. If in doubt about what information you are permitted to access then always take advice.
The ICO has made it clear that whilst it might be tempting to access the personal data of a friend or family member, the consequences of doing so can be severe. Put simply, do not let curiosity get the better of you.