Cordery

Legal.Compliance.

UK Unlawful Obtaining of Health Data Criminal Case

Introduction

According to the UK’s data protection regulator, the Information Commissioner’s Office (the ICO), a former health adviser has been found guilty of accessing medical records of patients without a valid legal reason. This article takes a brief look at this matter.

What’s this case all about?

An individual called Mr. Christopher O’Brien worked for the South Warwickshire NHS Foundation Trust (the Trust). At the Trust, between June and December 2019, he unlawfully accessed the records of 14 patients, who he knew. He did so without a valid business reason and without the knowledge of the Trust.

Apparently, one of those patient-victims said that they had been left worried and anxious about Mr. O’Brien having access to their health records, and, another patient-victim said that what had happened had put them off from going to their doctor.

Mr. O’Brien was charged, and subsequently, when he appeared at Coventry Magistrates’ Court on 3 August 2022, he pleaded guilty to unlawfully obtaining personal data in breach of section 170 of the Data Protection Act 2018.

What did the court decide?

The court ordered him to pay £250 compensation to 12 patients, totalling £3,000. According to the Trust, Mr O’Brien no longer works for them.

Reaction

Mr. Stephen Eckersley, ICO Director of Investigations, said of this matter:

“This case is a reminder to people that just because your job may give you access to other people’s personal information, especially sensitive data such as health records, that doesn’t mean you have the legal right to look at it. Such behaviour can be extremely distressing for the victims.”

What are the takeaways?

Under the UK Data Protection Act 2018 there are a number of data protection offences, the broadest of which is section 170(1) which criminalises the knowing or reckless obtaining, disclosing, procuring disclosure, or retaining, of personal data without the consent of the data controller. The offence is committed if an individual knowingly or recklessly does any of the following:

  • Obtains or discloses personal data without the consent of the data controller;
  • Procures the disclosure of personal data to another person without the consent of the controller, or,
  • After obtaining personal data retains it without the consent of the person who was the data controller in relation to the personal data when it was obtained.

Further, section 170(4) and (5) make it an offence to offer to sell or to sell personal data in circumstances in which an offence under section 170(1) has been committed. Here, the offer to sell or the actual selling on of the personal data obtained, disclosed, procured or retained contrary to section 170(1) will in itself constitute a further offence. An advertisement indicating that personal data is or may be for sale is an offer to sell the data.

Illegal access to personal data is a common risk for any organisation. The key consideration for businesses here is that, when training staff and drafting the internal privacy policy, to inform staff about their data protection and information governance responsibilities, including how to responsibly handle people’s personal data, and to stress that to obtain etc. personal data without consent may lead to a criminal prosecution.

More information

We have reported on data protection claims issues recently here: https://www.corderycompliance.com/smith-vs-talktalk/

We have reported recently on data breaches here: https://www.corderycompliance.com/ico-fines-dp/

We have reported on plans to change the UK’s data protection regime here: https://www.corderycompliance.com/changes-uk-dp-regime-3/

We report about data protection issues here: https://www.corderycompliance.com/category/data-protection-privacy/.

The ICO’s press release about the O’Brien case can be found here: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/08/former-health-adviser-found-guilty-of-illegally-accessing-patient-records/

For more about GDPR please also see our GDPR FAQs which can be found here:  http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.

For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.

Jonathan Armstrong, Cordery, Lexis House, 30   Farringdon Street, London, EC4A 4HH André Bywater, Cordery, Lexis House, 30             Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784 Office: +44 (0)207 075 1785
Jonathan.armstrong@corderycompliance.com Andre.bywater@corderycompliance.com
 

 

Contact a Cordery Specialist +44(0)207 118 2700 | Contact Us

Cordery is a trading name of Cordery Compliance Limited. Authorised and regulated by the Solicitors Regulation Authority.
SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520
Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom

Cordery Compliance Limited trading as Cordery provides some products and services which are not regulated by the Solicitors Regulation Authority; we will clearly state this to you if this is the case.

We use the word “partner” to refer to a shareowner or director of the company, or an employee or consultant who is a lawyer with equivalent standing and qualifications.

Cordery is a registered trademark of RELX (UK) Limited, used under license. The Knowledge Burst logo is a registered trademark of Reed Elsevier Properties Inc., used under license.

Copyright © 2021 Cordery. All rights reserved.