UK Information Commission issues reminder that accessing patient’s information unlawfully is an offence


By McDowell Purcell \ In All Posts, Public & Regulatory

A warning issued from the UK’s data protection watchdog, the Information Commissioner’s Office (ICO) reminds NHS staff about the potentially serious consequences of prying into patients’ medical records without a valid reason.

This warning was issued as a result of an NHS employee unlawfully accessing patient records. A former NHS Midwifery Assistant pleaded guilty to two offences of unlawfully obtaining and unlawfully disclosing personal data under section 55 of the Data Protection Act 1998. This is the most recent case to be highlighted in one of five ICO prosecutions involving staff illegally accessing health records.

A local investigation was prompted following a patient complaint, which established that the Midwifery Assistant had accessed the records of 29 people, including family members, colleagues and others, over a two-year period using the electronic patient record system in her workplace.

These actions resulted in a fine of £1,715 which was not only a breach of patient confidentiality but also of the Data Protection Act 1998.

The Head of Enforcement at the ICO, Steve Eckersely, commented on the nature of the offence and how this is not the first instance of an NHS employee getting in difficulty by allowing their personal curiosity to take over. There have been a number of similar ICO prosecutions involving NHS employees. This case acts as a reminder that patients are entitled to have their privacy protected and that those who work with personal data need to understand that they cannot access or share that data with others without a valid reason.  

This warning serves to highlight that all personal information contained within a medical record is classified as “personal sensitive data” under the Data Protection Act 1998 which means that all data controllers, their employees and representatives must take particular care to safeguard this data. There is a similar provision in the Irish Data Protection Act 1988 (as amended) by the Data Protection Act 2003.

Sensitive personal data is defined in the Irish Data Protection Acts as inter alia, any personal data as to the physical or mental health or condition or sexual life of the data subject. The Irish Data Protection Scheme requires additional conditions to be met for the processing of such data to be legitimate. Usually this will be the explicit consent of the person about whom the data relates.

In Ireland, the Office of the Data Protection Commissioner is responsible for upholding the privacy rights of individuals in relation to the processing of their personal data. While this warning is not applicable in Ireland it is interesting to see how the ICO have dealt with these data breach cases under a similar scheme.

The General Data Protection Regulation (GDPR) will come into force on the 25th May 2018, replacing the existing data protection framework under the EU Data Protection Directive and will add further data protection rights to EU citizens.

Authors: Vivian Meacham and Danielle Sumner