UK: GP surgery manager prosecuted for illegally accessing patients’ medical records
From the Information Commissioner’s Office:
A former manager who oversaw the finances of a GP’s practice in Maidstone has been prosecuted by the Information Commissioner’s Office (ICO) after unlawfully accessing the medical records of approximately 1,940 patients registered with the surgery.
Appearing at Maidstone Magistrates Court today, 37-year-old Steven Tennison pleaded guilty to charges of unlawfully obtaining personal data (section 55 of the Data Protection Act). He was fined a total of £996 and ordered to pay a £99 victim surcharge and £250 prosecution costs.
The offences were uncovered in October 2010 when the Practice Manager at College Practice GP surgery was asked to review Tennison’s attendance file. The review included a check of Tennison’s use of the patient records program, which showed that between 6 August 2009 and 6 October 2010 he had accessed patients’ records on 2023 occasions.
The majority of the records viewed related to women in their 20s and 30s. One woman’s record – believed to be a school friend of Tennison – was accessed repeatedly along with the record of her son.
The practice confirmed that Tennison only needed to access patients’ records on three occasions during this period, when the Practice Manager was on leave and he was responsible for investigating a complaint.
ICO Head of Enforcement, Stephen Eckersley, said:
“We may never know why Steven Tennison decided to break the law by snooping on hundreds of patients’ medical records. What we do know is that he’d received data training and knew he was breaking the law, but continued to access highly sensitive information over a 14-month period.
“The GPs and staff at College Practice GP surgery work hard to maintain the confidentiality of their patients’ records. The irresponsible actions of one employee have undermined their work and he is now facing the consequences of his unlawful actions.”
Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998. The offence is punishable by way of ‘fine only’ – up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court. The ICO continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information.