Despite Information Commissioner’s Office (ICO) warnings, NHS employees are continuing to breach data protection laws. We again see employees being found guilty of illegally accessing medical records belonging to people they know – i.e. family, friends, neighbours and colleagues – we assume this data snooping is merely to satisfy their curiosity.
In this latest batch, three perpetrators were fined by the ICO for their clear and obvious breaches, and we are yet again left wondering what can be done to stop these continual events happening.
Reviewing one patient’s records hundreds of times
A former administrator for Kent and Medway NHS and Social Care Partnership Trust reportedly accessed sensitive medical records belonging to an acquaintance in excess of 279 times during a three-week period.
She didn’t have permission from the patient nor her employer (the data controller) to look through these personal records, and she pleaded guilty to charges at Medway Magistrate’s Court.
Coding officer charged with accessing medical records
A Coding Officer for Dudley Group NHS Trust when she was said to have rifled through her neighbour’s and former friend’s medical records. Her job had nothing to do with accessing these medical records, and she appears to have taken the breach one step further by disclosing sensitive information about a baby.
The Officer also pleaded guilty.
Nursing auxiliary accessed patient records
A nursing auxiliary and was reportedly working at the Royal Gwent Hospital in Newport at the time of the breach. She illegally accessed patient records belonging to her neighbour; something she had no right to do.
No reason, nor right
All three perpetrators had no authority nor legitimate reason to access the records they did. In order to satisfy what we can only assume was their own curiosity (why else would they access the records?), they violated the privacy of the patients and smeared the NHS’ reputation. Their actions cost them hundreds of pounds each, as well as costing them their jobs, reputation and probably some social relationships.
The successful prosecutions may give the ICO mixed feelings. On the one hand, perpetrators like these who violate data protection responsibilities must be caught and punished. On the other, it’s incredibly frustrating for the U.K. data watchdog to continuously warn and fine people for these entirely preventable breaches.
More warnings
The ICO issued yet another warning to NHS workers about the consequences of snooping on patient records. Mike Shaw, Criminal Enforcement Group Manager for the ICO, said:
“Employees, who in many cases are very experienced and capable, are getting into serious trouble and often losing their jobs, usually over little more than personal curiosity. The laws on data protection are there for a reason and people have the right to know their highly sensitive personal information will be treated with appropriate privacy and respect.”
The importance of trust in our NHS services
Shaw emphasised the importance of trust between patients and our National Health Service. If we can’t trust medical professionals with our information, we might withhold important information that could significantly impact our health.
It sounds like the NHS need to update their data protection training and protocols to mitigate the chances of these simple breaches happening again, including changing the way records are accessed and educating employees about the law and the consequences of breaching data rules.