Risk: Prying into patient data

A SPATE of recent cases has prompted the Information Commissioner’s Office (ICO) to remind all NHS staff about the potentially serious consequences of prying into patients’ medical records without a legitimate reason. The most recent case to be highlighted is one of five ICO prosecutions involving staff illegally accessing health records.

The ICO warning came after a former midwifery assistant at Colchester Hospital University NHS Foundation Trust, who described herself as “nosy”, was ordered to pay a total of £1,715 in fines and costs after pleading guilty to offences of unlawfully obtaining and disclosing personal data. A local investigation was prompted following a patient complaint, which established that she had accessed the records of 29 people, including family members, colleagues and others, over a two-year period using her trust’s electronic patient record system.

Some of this information was found to have been shared with others and came to light when someone discovered their medical records had been seen by an ex-partner. This was not only a breach of patient confidentiality but also of the Data Protection Act 1998.

The Head of Enforcement at the ICO Steve Eckersley said: "Once again we see an NHS employee getting themselves in serious trouble by letting their personal curiosity get the better of them.

"Patients are entitled to have their privacy protected and those who work with sensitive personal data need to know that they can’t just access it or share it with others when they feel like it. The law is clear and the consequences of breaking it can be severe."

Other recent cases include:

• an administrative employee of a general practice in Wales who was prosecuted for accessing the sensitive medical records of two patients without consent
• a former clerical officer employed by Portsmouth Hospitals NHS Trust who accessed the sensitive medical records of two estranged family members on numerous occasions over a five-month period, obtaining new addresses
• a former nurse prosecuted for accessing the sensitive medical records of over 3,000 individuals, which included the records of hospital staff.

All of these constituted offences under section 55 of the Data Protection Act and resulted in significant fines and a criminal record for the individuals concerned.

This warning serves to highlight that all personal information contained within a medical record is classified as "personal sensitive data" under the act, which means that all data controllers and their employees and representatives must take particular care to safeguard this data. The ICO can take action to “change the behaviour” of organisations and individuals that collect, use and keep personal information improperly. This includes noncriminal enforcement and audit, or criminal prosecution. At present the ICO also has the power to impose a monetary penalty on a data controller of up to £500,000.

It’s also apparent from the outcome of these recent cases that the offenders were subject to disciplinary action by their employers, with the possibility of scrutiny by regulators. Indeed, the GMC states in its new Confidentiality guidance: "You must not access a patient’s personal information unless you have a legitimate reason to view it."

MDDUS also reminds members that in any criminal prosecution under section 55 of the Data Protection Act 1998 it is unlikely that they would be indemnified under the terms and conditions of their membership.

ACTION

• Medical records must never be accessed without a genuine clinical or administrative reason. With modern electronic patient management systems, a clear audit trail is present which can be examined to determine who has accessed a patient record and when.
• Practices and other data controllers must ensure that they have clear policies for employees in relation to accessing medical/dental records on a need-to-know basis. Providing access to regular knowledge updates and training in this area is an important way to mitigate organisational risk, ensuring staff are reminded of their responsibilities.

Alan Frame is a risk adviser at MDDUS