The ICO issued the warning after Brioney Woolfe, a former midwifery assistant with Colchester Hospital University NHS Foundation Trust, was found guilty of offences of unlawfully obtaining and disclosing personal data under s.55 of the Data Protection Act 1998 (DPA). Ms Woolfe had accessed the medical records of 29 people including family members and colleagues without a business purpose over an 18-month period, using the Trust's electronic patient record system.
Her behaviour came to light following a complaint by a patient, who discovered that their medical records had been shared with their ex-partner. An internal investigation subsequently found that Ms Woolfe had breached both patient confidentiality rules and the Data Protection Act 1998. She was ordered to pay a total of £1,715 in fines and costs by Colchester Magistrates' Court.
This case is one of several ICO prosecutions that have involved the unlawful access to and disclosure of personal data by employees in recent months. Even though this prosecution concerned medical records, the criminal offence under the DPA relates to all types of personal data. As well as having serious personal consequences for the employee prosecuted, organisations risk suffering serious reputational damage. Therefore this is an issue which all employers should guard against.
Employers are advised to make clear in staff data protection policies and training that personal data should only be accessed and disclosed for valid purposes. Staff should be aware of their obligations and be vigilant in spotting suspicious activity of colleagues to minimise the potential damage.
The Government has confirmed that this criminal offence will remain after the DPA is repealed by new legislation next year. Our Data Protection team would be pleased to assist with your preparations for the new data protection regime which applies from May 2018.