On 3 August 2022, Christopher O’Brien, a former health adviser employed by South Warwickshire NHS Foundation Trust,  pleaded guilty at Coventry Magistrates’ Court to unlawfully accessing patient records.

What data has been breached and how?

Between June and December 2019, he accessed the medical records of 14 patients. The patients were known to him but the records were not accessed lawfully as the patients were not under his care. His actions amount to a breach of section 170 of the Data Protection Act 2018. This  states that it is an offence to obtain or disclose/obtain or procure the disclosure of personal data without the consent of the controller. The controller of the data in this case is the SW NHS Foundation Trust.

Mr O’Brien was ordered by the Court to pay compensation to 12 of the patients whose data he had unlawfully accessed. The compensation amounted to £3,000 (£250 each).

Mr Stephen Eckersley, ICO Director of Investigation, commented:

“This case is a reminder to people that just because your job may give you access to other people’s personal information, especially sensitive data such as health records, that doesn’t mean you have the legal right to look at it.

“Such behaviour can be extremely distressing for the victims. Not only is it an invasion of their privacy, it potentially jeopardises the important relationship of trust and confidence between patients and the NHS.

“I would urge organisations to remind their staff about their data protection and information governance responsibilities, including how to handle people’s sensitive data responsibly.”

What happened next?

A spokesperson for South Warwickshire University NHS Foundation Trust said: “Our organisation has stringent information governance (IG) procedures in place, to ensure as a Trust we thoroughly investigate any reported confidentiality concerns or potential data breaches. Messages around IG processes are regularly shared via internal Trust communication and IG training is mandatory for all staff.

“Our procedures were followed at all times during this case, this included running audits, notifying all patients affected, reporting the incident to the Information Commissioner’s Office (ICO) and working very closely with the ICO to assist with their investigation.

“We can confirm this member of staff no longer works for the Trust. As an organisation, we would like to apologise for the impact this individual’s actions have had on the patients involved.”

Are NHS Trusts responsible for their employees breaching patients’ data?

There is no straightforward answer to this question as it depends on the circumstances of each case. If a Trust has proper policies in place regarding employees accessing patient information without a good reason, and if they provide regular training to employees to ensure such incidents do not occur, it might be that the Trust is not liable for the actions of the employee.

It is however clear that despite numerous warnings to NHS employees, these incidents still occur. It might be that new policies have to be put in place to reduce the chances of employees breaching patients’ data out of curiosity!

If you believe your data has been accessed without authorisation, please get in touch with one of our specialist solicitors at DRM Legal and we will advise if you might have a valid claim for compensation.