After prying into medical records, a former NHS health care assistant has had to pay a serious fine – highlighting the importance of proper data protection training for all employers and employees.
The worker, who accessed records of 29 people – including family members, colleagues and others that she didn’t know – pleaded guilty to ‘unlawfully obtaining and disclosing personal data’, after a patient complained. She accessed these records without a ‘business purpose’ to do so; in other words, her curiosity got the better of her. In accessing this data – and sharing it with others – she breached patient confidentiality, and the Data Protection Act.
This incident goes to show how important it is to train employees about data protection protocols, and the serious consequences of breaching them. Just because you know a person, doesn’t mean that you can access their personal information unlawfully. In this case, some of the data the worker accessed belonged to family members – but it was still illegal for her to look at it.
Many employers train their senior managers and HR team on data protection, but proper training needs to be implemented at ground level. If employers train all their employees on their data protection obligations – and can demonstrate that they’ve done so comprehensively – they’re much less likely to be on the receiving end of fines or legal action.
Data protection regulation is changing. From May next year, the General Data Protection Regulation will come into force – meaning employers and employees will have even more responsibility to comply with legislation, or face serious consequences.
Capital are running several GDPR training courses. To book on to one of our courses, or to find out more information about the services we provide, please visit our GDPR page.
The Information Commissioner’s Office (ICO) has reminded NHS staff about the potentially serious consequences of prying into patients’ medical records without a valid reason. The warning came after a former health care assistant was ordered to pay a total of £1,715 in fines and costs after pleading guilty to offences of unlawfully obtaining and unlawfully disclosing personal data.