A former NHS healthcare worker, Mr Christopher O’Brien, has been successfully prosecuted at the Coventry Magistrates Court after accessing medical records of 14 patients at the South Warwickshire NHS Foundation Trust between June and December 2019.
Mr O’Brien knew the patients personally and he accessed their health records without a valid business reason. He also did this without the Trust’s authority and knowledge, which is a breach of section 170 (1) Data Protection Act 2018, whereby it is an offence for a person to obtain personal data without a controller’s consent.
The ICO does not have the power to award compensation to data subjects. However, the ICO has criminal enforcement powers and can elect to make an application to the Court so that victims can obtain compensation. This is what happened in this case where the ICO applied for a compensation order pursuant to Section 133 of the Sentencing Act 2020, which requires an offender to “pay compensation for any personal injury, loss or damage” resulting from the committed offence.
Mr O’Brien is now required to pay £3,000 (£250 to 12 data subjects) as a criminal compensation order. Whilst the Court’s rationale for the amount of the fine is not clear, amongst other factors, the Court must take into account an offender’s means. Further, it appears that the Court recognised the seriousness of Mr O’Brien’s behaviour, which not only invaded the patients’ privacy, but also caused one patient to be put off from seeing the Doctor in future. The ICO recognised the gravity of Mr O’Brien’s actions by commenting that his behaviour “potentially jeopardizes the important relationship of trust and confidence between patients and the NHS”.
The Trust has apologised to the victims involved and also said:
"Our organisation has stringent information governance (IG) procedures in place, to ensure as a Trust we thoroughly investigate any reported confidentiality concerns or potential data breaches. Messages around IG processes are regularly shared via internal Trust communication and IG training is mandatory for all staff. Our procedures were followed at all times during this case, this included running audits, notifying all patients affected, reporting the incident to the Information Commissioner's Office and working very closely with the ICO to assist with their investigation. We can confirm this member of staff no longer works for the Trust."
This case is an important reminder to employers of the need to be vigilant about how their staff handle sensitive information. The case is also a warning to staff of their data protection responsibilities, including the need to handle sensitive data appropriately. In particular, whilst employees might have access to sensitive and personal information, it does not necessarily mean that there is a legal right for them to view that information. Further, there are significant consequences if an employee knowingly infringes data protection law including termination of employment and being reported by an employer to the ICO. Further and as this case demonstrates, the ICO is willing to exercise its power to prosecute individuals for criminal offences committed under Data Protection legislation, particularly where sensitive personal data is involved.