ICO warns NHS staff that unlawfully accessing patient records is an offence
- 15 August 2017
The Information Commissioner’s Office (ICO) has reminded NHS staff about the potentially serious consequences of prying into patients’ medical records without a valid reason.
The warning came after Brioney Woolfe, a former midwifery assistant at Colchester Hospital University NHS Foundation Trust, who described herself as ‘nosy’,was ordered to pay a total of £1,715 in fines and costs after pleading guilty to offences of unlawfully obtaining and unlawfully disclosing personal data.
An investigation, which followed a complaint by a patient, established that Woolfe had accessed the records of 29 people including family members, colleagues and others where no connection with the defendant is known, between December 2014 and May 2016.
Some of the information was subsequently shared with others. That was not only a breach of patient confidentiality but also against the Data Protection Act.
Woolfe, was fined £400 for the offence of obtaining personal data, and a further £650 for the offence of disclosing personal data. She was also ordered to pay a contribution of £600 towards prosecution costs, plus a victim surcharge of £65.
Colchester Magistrates’ Court was told Woolfe, inappropriately accessed the medical records of 29 people while employed as a midwifery assistant, using the trust’s Medway electronic patient record system.
According to a report by local newspaper, the Essex Gazette, Woolfe was reported to the head of midwifery at Colchester General Hospital when someone discovered their medical records had been shared with her ex-partner.
Charlotte Brewer, prosecuting, told Colchester magistrates, Woolfe, 28, had accessed personal information without consent of 23 women and six men. Only two of the 29 were pregnant.
Brewer told magistrates Woolfe would look up friends’ records. “If her children had been invited to a birthday party, she’d look up their parents’ details.
The case is one of several ICO prosecutions involving staff illegally accessing health records in recent months and Head of Enforcement Steve Eckersley said:
“Once again we see an NHS employee getting themselves in serious trouble by letting their personal curiosity get the better of them.
“Patients are entitled to have their privacy protected and those who work with sensitive personal data need to know that they can’t just access it or share it with others when they feel like it. The law is clear and the consequences of breaking it can be severe.”
31 Comments
A fine is not a punishment, it is a temporary financial inconvenience and if she was selling this info she is almost certainly still in profit. Definitely should have been jailed for a few months. Too many people working in the caring industry, including so called professionals treat others info with very little care and then resort to lying when they are exposed.
Hippocratic Oath – First do no harm (to your career)
There’s no way this crime is worthy of actual jail time, not even close. She committed a crime and has now been penalised as a result. Justice has been served.
Re training, is that a joke. You cannot train dishonesty out of people, the re offending rate tells you that.
This woman betrayed the trust only given to carers and only got caught because a patient was confronted by an ex partner who seemingly couldn’t resist telling her that he had got this info. If that man had just kept quiet about it this would almost certainly still be going on. Can you imagine how that poor woman felt when this ex partner confronted her with this info. Not knowing at first how he had obtained it.
And she was duly punished.
If you want her to rehabilitate and become a legit functioning member of society again, then i highly doubt your idea of castigating this woman for life would aid her recovery.
I’m assuming this was the result of a complaint not by security audit?
“Woolfe was reported to the head of midwifery at Colchester General Hospital when someone discovered their medical records had been shared with her ex-partner.”
You should probably read the article before commenting.
Yes ‘someone’ explains it all.
I’m assuming it wasn’t by proactive action by the trust then and has action has been done to rectify this? as you’ve mentioned above it’s the trusts duty to protect this data and methods exist to detect these violations.
Lynne,
This is also part of the problem. The MASSIVE fines so far handed out to GPs have been in response to unintentional data leaks – yet when confidences are deliberately betrayed the penalty can be approximately one twentieth the size!
You can disagree with me, but that doesn’t make me wrong. What i’ve said is factual and can be backed up with evidence.
How would jail or a large fine help the situation? She needs to be punished without a doubt but re-education and community service would serve the wider population much better.
Re-education happens every year in the NHS and it is audited. It is a mandatory part of training and IGSoC.
These people are essentially waiting until the patient isn’t looking, rummaging around in their handbag, riffling through their wallet and taking what they think is interesting or valuable to them. It’s the patient’s data, not the NHS and just like you should respect their personal belongings and not steal them you should do the same for their data.
If you need to be re-educated on this something is very wrong.
So I agree, send a message. To all organisations and individuals who refuse to give data back to patients, cannot share it for direct care but feel it’s ok to ferret around for their own personal amusement / gain you will be heavily punished.
it’s even worse than stealing from the handbag, ’cause the patient does not even know what has been stolen from them … people do not have access to THEIR data do they ? … a stranger can see your data when you can’t even see it yourself, what are you thinking NOW ? … this has happened to me on numerous occasions and i think it is one of the things about ourNHS which makes me angry
It’s actually not the patient’s data. It’s the NHS Trust’s data. They are responsible for it, they are carrying the risk of looking after it and maintaining it, sharing ir where required, destroying it etc.
The data in a patient’s record may be about the patient, but the legal responsibility of ownership is the NHS Trust’s.
I disagree with you Gary, ourNHS is not currently in the private sector, it is owned by all of us, it provides a SERVICE to us. Yes, it has a duty to take care of us and “our” health data. I also believe if people had more control of their data it would lead to increased efficiency. I think one problem is that, with respect to the management of health data, the service up and down the country has become so varied that it now embarrassing for ourNHS leadership. IT, especially the treatment of data, should be a leveler, it is in the private sector, it isn’t within ourNHS, that has to be due to failure of leadership @ a national level within ourNHS.
A NHS nurse from Hemel Hempstead, Hertfordshire Hospital accessed my Mothers records without any consent but she has now retired. I hope the law covers NHS staff who have now retired.
I also would like a block put on people who work in the NHS who used to be school bullies. Just in case they may inadvertently or intentionally access a victims medical records, that includes Mothers and Fathers of the bullies who worked for the NHS.
“I also would like a block put on people who work in the NHS who used to be school bullies”
Lol – sure, we’ll just access the National Bully Database prior to appointing this nurse and check her status.
And the Data Protection Act prohibits against data being processed (inc. collecting and storing) for ‘just in case’ purposes.
A blatant betrayal of trust and abuse of position. How are we to know what she was doing with this info. A paltry fine is not enough, should’ve been jailed for 6 months or perhaps a year and the fine. Others should know that if they betray trust and abuse their position they will regret it. I do hope she no longer works in a situation where she has similar access.
“should’ve been jailed for 6 months or perhaps a year and the fine.”
Completely excessive. She was penalised in proportion with the offence committed.
But Clive, I’m not blaming IT at all! Indeed, I never mentioned it once. My beef is with those who talk about mega-fines which only the small fry will have to pick up themselves.
We are just about to go into the shadow of the GDPR which will be like the current system only about ten times worse, with fines up to 20 milllion euros (and, in effect, and as I understand it, data controllers in common). I can’t see any of my GP colleagues willing to share any information under that particular sword of Damocles — you share the information in good faith with a ‘reliable’ provider, only to find that they managed to leak information that they shouldn’t, so you, the GP get hugely fined as well.
Digital Health gives me a voice, when I respond to a comment it is not personal, my comments are not directed at you or any other individual. I would add GPs, like NHS Hospitals are only part of the health “jigsaw puzzle”. The only constant along a PERSON’s health journey is the PERSON (and possibly a carer). The only thing that makes sense is to put the PERSON in control of THEIR data, not the GP, not the hospital. Integrating care will not happen unless it is supported by integrating the DATA, technology NOW is awesome and there is no reason this can not happen other than politics and I am not talking about party politics I am talking about NHS politics. Money is not the issue.
GDPR doesn’t make the situation worse if you are DPA compliant. Granted there are some extra provisions on data portability etc. but on the whole, if you are okay with the DPA, GDPR isn’t going to kill you.
The main difference I see is that there is recourse beyond the ICO who have mixed and sometimes lack luster response.
GDPR is a huge opportunity for healthcare and industry as a whole when looked at in the right way. If you just see it as compliance and governance challenges with huge fines then you are likely to be one of the organizations who is hit hard.
As I’ve said before, my yard stick is, if you are using post/fax over email because of “security” or “privacy” concerns you are going to have problems. If you have addressed this and now use email effectively you are probably already on the right track.
I agree with you, but I would add the time for blaming poor IT is over, IT is a people business, just like health.
Clive,
I agree with you . However — and this is a big bugbear of mine — if a public body such as the NHS incurs a fine, it gets paid by that body and the individual senior manager doesn’t bear the brunt – the taxpayer does.
By comparison, with privately-owned firms (nearly all GP practices) any fines come out of the pockets of the partners.
As a result, the huge fines that organisations have to pay don’t come out of their senior managers’ pay packets, but massively impact on the small firms. In effect, the managers of large public bodies escape without penalty whereas the small practices get clobbered (even though the mistake may not have been made by them personally but by a member of their staff). I think this is inherently unfair.
It might be worth mentioning that some of the patients that a Trust are taking care of (and their data) may also be NHS Staff, accessing your colleagues EHR might be possible for some, but unless there is a valid clinical reason to do so, it is also totally inappropriate. Until people have been fully empowered to manage the access to their own health data this remains a management issue. IT “is” a people business, there is not good IT and bad IT, just good and poor management. If people are not fully made aware of the serious consequences of breaking the rules of IG then clearly there has been a serious breakdown in communication from the top down. If this type of breach of confidentiality occurred outside of the NHS I suspect it would have been the organisation and it’s leaders that would have been named and had to suffer the consequences, not just the individual who broke the rules, and I also suspect you would not be talking … 1,000s. With regard to IG, all need to be responsible, but the degree of accountability should be determined by the level of seniority, isn’t that why ourNHS leaders are paid the big bucks?
Clive,
This is a perennial issue, but the onus lies with the individual to comply with the legal and ethical requirements. Organisations and their leaders are accountable for putting adequate safeguards and end-user education in place but in the end it is down to each individual to act ethically and lawfully – within a sound IT security, IG and audit framework.
Speaking as an IT-professional, I always found that taking formal disciplinary action against such individuals (including dismissal and/or prosecution if a case was proven) helped emphasise the point and improved the corporate culture no end especially when the case was referred to in the annual IG and confidentiality awareness sessions. As you rightly say, this is not strictly an IT issue but a management issue.
Speaking as a cancer patient advocate, patient-owned data and patient-controlled data is fine in principle but a legal nightmare when you consider patients who lack the capacity to consent either temporarily (e.g. through unconsciousness) or permanently (e.g. through a long term mental health condition or disability).
Regards
Dave
I’d say the fine is proportionate with the offence committed.
I’d say the fine is proportionate to the salary an NCA earns.
£1715 is probably more than a month’s salary for this person.
Why such a small fine, as it appears to have been a deliberate act? GPs have already been fined tens of thousands of pounds for inadvertently revealing information.
I don’t understand the process/model at all.
A council is getting stung yet Royal Free deliberately defines data protection law sharing over 1 million records and barely gets a slapped wrist.
Individuals instead of organisations and vice versa.
If I was a cynical person (and I am) I would say they are chasing easy targets such as small organisations, individuals and simple cases whilst letting bigger more complex cases slide.
Money talks. Go after individuals because there is more chance they will have to pay up. The ICO is a servant to big multinational corporations – it’s not going to penalise them when there are many politicians in corporate pockets and when such companies frequently threaten to move out of the UK.
in my personal and honest opinion, from an organisation perspective, another really bad crime is doctoring the data, money is data and doctoring the data is on a par with cooking the books
Comments are closed.