The ICO crack down on the NHS and employee curiosity

Being too curious can sometimes get you into big and costly trouble.

The Information Commissioner’s Office (ICO) have made it clear that NHS employees who are tempted to look at patient records without a valid legal reason need to understand the repercussions of such actions.

Mike Shaw, Criminal Enforcement Group Manager at the ICO said, “Employees who in many cases are very experienced and capable, are getting into serious trouble and often lose their jobs, usually over little more than personal curiosity.’

Unfortunately, Clare Lawson made that mistake. Her curiosity cost her a £400 fine, £364.08 in costs, a victim surcharge of £40 and her job.

Clare Lawson was a staff nurse on the Rehabilitation Ward at Southport and Ormskirk Hospital since October 2011. She is a registered nurse with over 13 years experience of providing expert nursing care in medical, community and emergency care settings. Southport and Ormskirk Hospital NHS Trust provides health care in hospital and the community to approx 258,000 people across Southport, Formby and West Lancashire.

On the ICO website, it states during 2014-2016, Clare Lawson had committed the following data breaches:

  • Inappropriately accessed the records – including maternity and paediatric records – of five patients, 17 times
  • Accessed a further 109 records of 18 patients of which one was a child
  • Accessed blood results of a friend 44 times after they had been discharged
  • Accessed foetal scans of a patient

Ms Lawson was dismissed from her position in the hospital in September 2017 for gross misconduct. She appeared before magistrates in Bootle on the 24th September 2018 and admitted unlawfully obtaining and disclosing personal data in breach of s55 of the Data Protection Act 1998.

The case has now been referred to the Nursing and Midwifery Council.  

The ICO Director of Investigations, Steve Eckersley, said about the case, “This abuse of a position of trust has caused significant distress to a number of people. The laws on data protection are there for a reason and people have the right to know their highly sensitive personal information will be treated with appropriate privacy and respect. The ICO will continue to take action against those who abuse their position and potentially jeopardise the important relationship of trust and confidentiality between patients and the NHS.”

The NHS and data protection

The Clare Lawson case is just one of many NHS data protection cases listed on the ICO website.

In October 2017, Nicola Wren who was employed by Kent and Medway NHS and Social Care Partnership trust was also found guilty of accessing the records of patients known to her. She accessed the medical records 279 times in three weeks. Wren pleaded guilty to the offence under s55 of the Data Protection Act and was fined £300, ordered to pay costs of £364.08 and a £30 victim surcharge.

In November 2017, Marian Waddell who was a former nursing auxiliary at the Royal Gwent Hospital in Newport was fined for accessing a patient and her neighbour’s medical records without a valid reason. She was fined £232, had to pay £150 in costs and a victim surcharge of £30.

We are not aware of why Clare Lawson repeatedly looked at medical records of the hospital’s patients or what she did with the information. For whatever reason she did it, the message from the ICO is clear – do not access data that you are not legally allowed to access.

You will be fined and what’s more, some people are of the opinion that the actions of people like Clare Lawson should result in a potential custodial sentence.

It’s worth noting that in these cases the charges made were under the Data Protection Act, not the GDPR due to the date that the data breaches occurred.

With the new data protection regulations carrying such heavy fines, all you curious folks out there dealing with personal data need to remember the saying ‘curiosity killed the cat!’.

This is a classic case of the type of internal information breaches that occur in organisations across the world, every day.

How do you make your staff aware of their responsibilities with other people’s data?

Not only is your business at risk if one of your employees breaches information, but they are personally liable as well.

Adrian McGarry





Also recently published