On the 11th August 2017 yet another NHS (now former) worker was fined by the Information Commissioner’s Office (ICO) for accessing sensitive health records belonging to family, friends and colleagues without authorisation.
She even disclosed information she found.
Brioney Woolfe worked at Colchester Hospital University NHS Foundation Trust as a Midwifery Assistant. The self-confessed ‘nosy’ midwifery assistant reportedly accessed 29 patient medical records, including the parents of her children’s school friends.
Accessing records illegally
She reportedly accessed files without authorisation, and her actions were discovered when a patient realised Woolfe’s ex-partner knew about their records.
An investigation was opened and Woolfe was found to have accessed medical records belonging to 29 people without permission between December 2014 and May 2016. Of the 29 patients, 23 were women and only two of these were pregnant.
Personal snooping
When answering her crimes, the 28-year-old confessed that whenever her children were invited to a party, she would look up the parents’ details. She maintained her curiosity was never intended to be malicious, but data protection rules mean that, regardless of intention, she still obtained and disclosed personal data without authorisation and therefore breached the Data Protection Act.
Updated training for staff
A spokesman for the hospital said that maternity staff have received updated information training as a result of Wolfe’s actions; leaving some speculation as to whether data protection protocols were perhaps less than sufficient in the first place. He also said:
“It is essential that all NHS organisations use and store patient information appropriately and securely, and we take any breach extremely seriously.”
Unfortunately, this kind of thing just keeps on happening.
The snooping trend…
This recent case comes not long after ICO warnings to workers about not accessing patient records unless they have permission and/or proper reason to do so. The warning also reminds us that even if it is not done maliciously, data protection can still be breached and real consequences can follow. In this case, Woolfe was fined £400 for accessing the sensitive information; £650 for disclosing some of it; £600 for costs; and a £65 victim surcharge.
Although Woolfe reportedly had an ‘unblemished’ record at work, she understandably lost her job of 12 years as a direct result of her actions.
ICO gives stern warnings
Head of Enforcement at the ICO, Steve Eckersley, once again warns about letting personal curiosity get the better of you. Whilst a curious snoop may seem harmless:
“…patients are entitled to have their privacy protected and those who work with sensitive personal data need to know that they can’t just access it or share it with others when they feel like it. The law is clear and the consequences of breaking it can be severe.”
Data protection rules apply to companies, organisations and individuals. Whilst companies and organisations have a responsibility to ensure that information stored and processed is done so in a safe and secure way, individuals cannot flout their own ability to access and abuse information for personal gain or curiosity.