A Health Care Assistant has been fined £1,715 by Colchester Magistrate’s Court after pleading guilty to unlawfully obtaining and unlawfully disclosing personal data. Briony Woolfe accessed the health records of family members, colleagues and others “without a business purpose to do so” whilst working for Colchester Hospital University NHS Foundation Trust but was subject to investigation following a complaint by a patient.
The investigation revealed the records of 29 individuals has been unlawfully accessed and in some cases, confidential data had subsequently been shared with others.
The Information Commissioners Office (ICO) highlighted that Ms Woolfe’s actions were not only a breach of patient confidentiality but also of the Data Protection Act and that this was one of a number of recent cases. Steve Eckersley the ICO’s Head of Enforcement said: “Once again we see an NHS employee getting themselves in serious trouble by letting their personal curiosity get the better of them. Patients are entitled to have their privacy protected and those who work with sensitive personal data need to know that they can’t just access it or share it with others when they feel like it. The law is clear and the consequences of breaking it can be severe.”
Although this incident took place within the NHS, care homes are responsible for equally sensitive data and this type of incident could take place in any setting. Read on to learn how you can prevent this type of damaging incident arising without your service.
As well as monitoring standards of data protection, the ICO provides specific guidance to all types of businesses on meeting the requirements of the Data Protection Act, meaning that ignorance of the law is no defence. All processing of personal data is subject to the Act and any breach can lead to a fine of up to £500,000 as well as the reputational damage that may follow.
4 Steps to Prevent Unlawful Data Breaches Within Your Service
- Train Your Staff: The ICO recommends formal induction and annual refresher training on data protection and confidentiality for all staff. Training can be tailored according to the responsibilities of each role, so remember to adjust the content according to the individual needs of each staff group.
- Operate a Clearly Understood Confidentiality Policy: You should have in place a detailed policy on confidentiality outlining how sensitive information is to be handled, stored and shared. This policy should be discussed with all staff at induction.
- Ensure Adequate Data Security: Care records are often stored without adequate attention to security which can increase the likelihood of data breaches. You must ensure that electronic records are password-protected with individuals, rather than shared log ins and that paper records are always locked away when not in use.
- Operate a ‘Need to Know’ Policy: Sensitive information should only ever be shared with those for whom it is relevant or useful. This may mean that whilst it is appropriate to share some information with all staff, more sensitive information may be restricted to those directly involved in the individual’s care.