The Information Commissioner’s Office (ICO) has secured a conviction against a surgery manager after unlawfully accessing the medical records of approximately 1,940 patients registered with College Practice GP surgery in Maidstone.

Steven Tennison was found guilty of serious patient data breaches (section 55 of the Data Protection Act 1998) on 3 December at Maidstone Magistrates Court. The punishment was merely fines of £996, a £99 victim surcharge and £250 prosecution costs.

The offences were uncovered in October 2010 when the Practice Manager was asked to review Tennison’s attendance file. The review included a check of Tennison’s use of the patient records program, which showed that between 6 August 2009 and 6 October 2010 he had accessed patients’ records on 2023 occasions.

Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998. The offence is punishable by way of ‘fine only’ - up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court. The ICO continues to call for more effective deterrent sentences, including the threat of prison, for those found unlawfully accessing or disclosing personal information to be available to the courts.