News and Notices

Unauthorised Access to Records

This is a message to all staff. Access to information is on a strict need to know basis.

Under no circumstances should you:

  • access information relating to friends, family, colleagues, neighbours or even your own information.
  • ask another member of staff to access your records on your behalf

You must only access peoples personal records (whether that be employee or patient records) if it is in line with your work, for example, if you are treating a patient or are involved with the management of a staff member. If asked to, you must be able to justify why you have accessed someone’s personal information. Access to systems is audited.

Accessing records without being authorised and not having a valid justification of doing so could lead to you;

  • going through disciplinary action
  • losing your job
  • losing your professional registration
  • receiving a fine.

Recent examples and subsequent consequences of NHS staff accessing records without authorisation:

A former administrator at an NHS Trust has been prosecuted for accessing medical records without authorisation. An internal investigation found that the staff member had inappropriately accessed the medical records without any business need to do so. The records related to seven family members and seven children known to them. They appeared in court and admitted two offences of unlawfully obtaining personal data, in breach of s55 of the Data Protection Act 1998. She was fined £1000, ordered to pay costs of £590 and a victim surcharge of £50.- https://ico.org.uk/action-weve-taken/enforcement/faye-caughey/

A former doctor’s surgery employee who inappropriately accessed the records of patients and staff members has been prosecuted. They accessed the electronic clinical records of 228 patients and 3 staff members outside of their role as an administration assistant. They appeared in court and admitted 4 offences of unlawfully obtaining personal data, in breach of s55 of the Data Protection Act 1998. She was fined £350, ordered to pay costs of £643.75 and a victim surcharge of £35. - https://ico.org.uk/action-weve-taken/enforcement/hannah-pepper/

A staff nurse accessed patients’ medical records outside of their role. They inappropriately accessed the records – including maternity and paediatric records - of five patients, 17 times. It was also heard that they made multiple accesses to the records of some of these individuals including the blood results of a friend 44 times after they had been discharged, as well as foetal scans.

The appeared in court admitted unlawfully obtaining and disclosing personal data, in breach of s55 of the Data Protection Act 1998. She was fined £400 and was also ordered to pay costs of £364.08 and a victim surcharge of £40. - https://ico.org.uk/action-weve-taken/enforcement/clare-lawson/

 

All staff have a responsibility to ensure they are aware of and follow Information Governance Policies and Procedures. If anyone has any queries regarding Information Governance and the confidentiality of person identifiable information please contact the Information Governance Team at E: dchst.info.gov@nhs.net