UK: Receptionist unlawfully accessed sister-in-law’s medical details
A receptionist who unlawfully obtained her sister-in-law’s medical records in order to find out about the medication she was taking has been found guilty of an offence under section 55 of the Data Protection Act.
Usha Patwal, of Romford, was given a two year conditional discharge and ordered to pay £614 prosecution costs by Havering Magistrates Court today.
The offence was uncovered when Patwal’s sister-in-law received text messages indicating that the caller knew about the medication she was taking at the time. She then contacted her doctors’ surgery – Gateway Medical Practice, Gravesend, Kent – to express her concerns. The investigation by the ICO uncovered that Ms Patwal had made a call to Gateway posing as an employee of the King George Hospital in Romford, Essex, on 29 December 2010. Further enquiries found that the sensitive medical information had been faxed to Ms Patwal at the Lawns Medical Centre where she was employed as a receptionist. The fax has never been found and Mrs Patwal did not co-operate with the ICO investigation by giving an explanation for her actions.
Information Commissioner, Christopher Graham, said:
“Medical records contain some of the most sensitive information possible. The medical centre’s receptionist was in a position of trust and abused her position for her own personal gain. This case demonstrates just how easy it can be to misuse personal data.
“Ms Patwal used her insider knowledge of the healthcare system to blag this information in an act that she believed would go undetected. The message from this case is clear: if you unlawfully obtain personal information there is always an audit trail, and you could end up in court.”
Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998. The offence is punishable by way of a financial penalty of up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court. The ICO continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information.
Source: Information Commissioner’s Office