A former health adviser has been found guilty of accessing medical records of patients without a valid legal reason.
Christopher O’Brien was working at the South Warwickshire NHS Foundation Trust when he unlawfully accessed the records of 14 patients, who were known personally to him, between June and December 2019. He did so without a valid business reason and without the knowledge of the Trust.
Sensitive and personal data relate to an individual (or individuals). The Information Commissioner’s Office defines personal data as “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier". This includes medical records.
One of the victims said the breach left them worried and anxious about O’Brien having access to their health records, with another victim saying the breach put them off from going to their doctor.
O’Brien pleaded guilty to unlawfully obtaining personal data in breach of section 170 of the Data Protection Act 2018 when he appeared at Coventry Magistrates’ Court on 3 August 2022. He was ordered to pay £250 compensation to 12 patients, totalling £3,000.
Stephen Eckersley, ICO Director of Investigations, said:
“This case is a reminder to people that just because your job may give you access to other people’s personal information, especially sensitive data such as health records, that doesn’t mean you have the legal right to look at it. Such behaviour can be extremely distressing for the victims. Not only is it an invasion of their privacy, it potentially jeopardises the important relationship of trust and confidence between patients and the NHS. I would urge organisations to remind their staff about their data protection and information governance responsibilities, including how to handle people’s sensitive data responsibly."
A spokesperson for South Warwickshire University NHS Foundation Trust said:
“Our organisation has stringent information governance (IG) procedures in place, to ensure as a Trust we thoroughly investigate any reported confidentiality concerns or potential data breaches. Messages around IG processes are regularly shared via internal Trust communication and IG training is mandatory for all staff. Our procedures were followed at all times during this case, this included running audits, notifying all patients affected, reporting the incident to the Information Commissioner's Office (ICO) and working very closely with the ICO to assist with their investigation. We can confirm this member of staff no longer works for the Trust. As an organisation, we would like to apologise for the impact this individual’s actions have had on the patients involved.”
Organisations can find data protection and information governance training and resources on the ICO website.