A Couple Of Not So Healthy Uses Of Sensitive Personal Data

It transpires that a manager of a leisure centre, run by a local council, who was responsible for accepting people with health problems from their GP to enable them to have fitness sessions related to their particular condition, was being made redundant by his employer. To offset this he decided to branch out on his own and offer the same services but as a private rather than council run operation. But how to get his message across was obviously a big hurdle but one he had in ingenious idea to overcome, he emailed himself  the data for over 2400 ‘clients’ including their sensitive medical details which included obesity, diabetes, arthritis, and cardiac and mild mental health issues.

For the uninitiated this would be a brilliant way to get a leg-up into the health service world but, as we know from our Data Protection training, this is not the case. Indeed, when the Information Commissioner got wind of it he decided to prosecute the person involved and took steps to this end. He was helped by the fact that the ex-manager had set up his new business with the exact same name as the council one had been, Active options, and this proved to be his downfall as people complained to the council about the person involved contacting them and it was the council who flagged this up to the Commissioner.

He was prosecuted under section 55 of the Data Protection Act at West Hampshire Magistrates Court this week (May 22) where he was fined a total of £3,000 and ordered to pay a £15 victim surcharge and £1,376 prosecution costs. Section 55 of the Data Protection Act 1998, makes it an offence (with certain exemptions) to obtain, disclose or procure the disclosure of personal information knowingly or recklessly, without the consent of the organisation holding the information.

Christopher Graham, the Information Commissioner, said afterwards: “People have a right to privacy and the ICO works to maintain that right. Nobody expects that their health records will be taken and used in this way. Mr Hedges had been told by Southampton Council about the need to keep patients’ details confidential, but he decided to break the law to benefit his new business. This case shows why there is a need for tough penalties to enforce the Data Protection Act. At very least, behaviour of this kind should be recognised as a ‘recordable offence’ which it isn’t now. For the most serious cases the current ‘fine only’ regime will not deter and other options including the threat of prison should be available. The necessary legislation for this is already on the statue book but needs to be activated. The government must ensure that criminals do not see committing data theft as a victimless crime and worth the risk.”

This is the second Section 55 offence in this part of the UK this year as, in March, a former receptionist at a GP surgery in Southampton was prosecuted for unlawfully obtaining sensitive medical information relating to her ex-husband’s new wife. When she appeared at West Hampshire Magistrates, Marcia Phillips was fined £750 and ordered to pay a £15 victim surcharge and £400 prosecution costs.

Ms Phillips was found to have accessed the information on 15 separate occasions over a 16-month period while working as a receptionist at the Bath Lodge Practice. The breach became apparent after Phillips left her job and sent a text message to her ex-husband’s partner referring to highly sensitive medical information taken from her medical record.

So you see, although the data may be something you use on a daily basis it does not give you the right to use it outwith the reason it has been obtained. If you are caught you will, as these two cases prove, be prosecuted in the Criminal Court and be fined, obtain a criminal record and have your life and name tarnished.

Is it worth taking a chance? Absolutely not!!!!

And remember, Section 55 also refers to reckless loss of data so even if you make an error of judgement and give information to someone you cannot identify as having the right to that data, you could be liable under S.55 too and end up in court!!

For any help or further information respond to this post or go to http:www.kpgprofessionalservices.co.uk

About KPG Professional Services

Kevin has been working in the Data Protection field for over 20 years with The Post Office, Royal Mail Marketing, The Royal Bank of Scotland and Glasgow Housing Association Ltd. He is also trained in the Freedom of Information (Scotland) Act 2002 and has supplied expertise and support in this discipline for the past 4 years. In his leisure time Kevin is a presenter on Hospital Radio, an SRU rugby referee and referee coach and also the stadium announcer at McDiarmid Park for his team St Johnstone in the Scottish Premier League.
This entry was posted in Blagging, Breaches, Data Protection, Data Security, Fair Processing, ICO, Information Commissioner, Information Security, Justice and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s