Christopher O’Brien had worked as a health advisor at South Warwickshire NHS Foundation Trust. During the course of their employment, Mr O’Brien accessed the patient’s medical records without a valid business reason for doing so and without the knowledge of the Trust who employed him.
Background
Between June and December 2019, Mr O’Brien accessed the records of 14 patients who he knew personally. This caused a great deal of stress for the individuals in question. One of the victims commented that the breach had put them off from going to see their doctor.
Were Mr O’Brien’s actions in contravention of the UK GDPR and/or the Data Protection Act 2018 (DPA 2018)? It is first necessary to establish whether the records accessed by Mr O’Brien would be considered personal data in line with the definition present within the UK GDPR. Article 4 (1) of the UK GDPR defines personal data as:
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
In Mr O’Brien’s case, he accessed medical records which most likely would have referred to the patients by name and address. The records were also likely to contain other identifiers such as information in relation to the patient’s physical attributes.
Section 170 of the DPA 2018 states:
“(1) It is an offence for a person knowingly or recklessly-
(a) to obtain or disclose personal data without the consent of the controller;
(b) to procure the disclosure of personal data to another person without the consent of the controller; or
(c) after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.”
Mr O’Brien obtained personal data (the medical records) without the consent of the controller, the Trust. He was therefore in contravention of Section 170 of the DPA 2018.
Section 196(2) of the DPA 2018 confirms that a person who commits an offence under Section 170 of the DPA 2018 is liable on summary conviction to a fine, and on conviction on indictment to a fine. In accordance with Section 196(4) of the DPA 2018, the Court may also order a document or other material to be forfeited or erased if it has been used in connection with the processing of personal data and it appears to the Court to be connected with the commission of an offence.
Mr O’Brien appeared at the Coventry Magistrates’ Court on 3 August 2022. He pleaded guilty to the unlawful obtaining of personal data in breach of Section 170(1)(a) of the DPA 2018. Mr O’Brien was ordered to pay compensation to 12 patients, totalling £3,000.
Stephen Eckersley, ICO Director of Investigations commented:
“This case is a reminder to people that just because your job may give you access to other people’s personal information, especially sensitive data such as health records, that doesn’t mean you have the legal right to look at it.
Such behaviour can be extremely distressing for the victims. Not only is it an invasion of their privacy, it potentially jeopardises the important relationship of trust and confidence between patients and the NHS.
I would urge organisations to remind their staff about their data protection and information governance responsibilities, including how to handle people’s sensitive data responsibly.”
Comment
To lawfully process personal data you need to demonstrate that one of the six lawful bases present within the UK GDPR applies. See my previous blog for more details.
Unless you are able to demonstrate that one of the lawful bases applies, you do not have the legal right to access the data (even if you are able to do so).
How we can help
Ruby Ashby is an Associate in our expert Dispute Resolution team.
If you need any advice concerning the subjects discussed in this article, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us