NHS workers are again being reminded and warned that looking at confidential medical records without a valid business reason for doing so is an offence and can incur serious consequences for both themselves and the health service. The latest warning was issued after a NHS administrator was fined for repeatedly accessing patient records without valid reasoning. It follows a previous reminder that was issued in August for the same issue.
The incident occurred at Kent and Medway NHS and Social Care Partnership trust. An investigation revealed that the defendant “had accessed the health records of a single patient 279 times over a three-week period in October and November 2015, viewing the files up to 50 times in a day.” It has also been revealed that the patient was known to the perpetrator but this did not give her the right to access the records without her employer’s permission.
The defendant was prosecuted for “unlawfully accessing personal data in breach of s55 of the Data Protection Act 1998” and was fined accordingly.
Mike Shaw, Criminal Enforcement Group Manager of the Information Commissioner’s Office (ICO) said:
Employees, who in many cases are very experienced and capable, are getting into serious trouble and often losing their jobs, usually over little more than personal curiosity.
The laws on data protection are there for a reason and people have the right to know their highly sensitive personal information will be treated with appropriate privacy and respect. The ICO will continue to take action against those who abuse their position and potentially jeopardise the important relationship of trust between patients and the NHS.
As this is the second reminder in as many months and isn’t the first time that a healthcare employee has been prosecuted for such an offence, this matter needs to be taken seriously and action needs to be taken to inform staff of the risks that they could face by satisfying their curiosity.
Increase awareness to reduce data breaches
Rolling out a comprehensive staff awareness programme will give employees a clear understanding of their compliance requirements, your organisation’s security policies and procedures and best practices to ensure that your staff take security and compliance as seriously as you do.
The EU General Data Protection Regulation (GDPR) will soon be replacing the Data Protection Act (DPA), so it is essential to train all staff members to make sure they understand the changes brought by the Regulation.
The GDPR Staff Awareness E-learning Course is a quick, affordable and effective means of delivering training to multiple learners and is suitable for all employees whose job involves processing and storing personal data.
Our Information Security Staff Awareness E-Learning Course informs on how to avoid becoming a security liability, introduces employees to internal policies on incident reporting and responses, and provides basic knowledge of information security best practices to reduce preventable mistakes.