Within the media recently, there have been a number of allegations that employees have accessed medical information without the requisite authority and consent to do so.

The Information Commissioner’s Office has issued a press statement confirming that it has cautioned an individual following its criminal investigation into the unlawful obtaining and disclosure of medical information to a third party without the consent of the data controller.

According to BBC news reports, the investigation was the result of a report that a former healthcare worker of a private medical clinic tried to obtain and then sell the Princess of Wales’ medical records.

Ian Hulme, the ICO’s Executive Director for Regulatory Supervision, said:

“People should be able to trust that the personal information they're giving to healthcare settings is safe and protected from exploitation. When this trust is broken, it's right that the law allows us to take action.  

“We will not hesitate to pursue criminal prosecution where it is necessary and proportionate to do so.

Why is this so serious?

Medical information is quite obviously confidential information, often highly sensitive and deeply personal to the individual.  There is a presumption of confidentiality between medical staff and the patient.  Our willingness to share information with a health professional to be able to access health services is based on the trust and expectation that it is being shared in a confidential setting.  Irrespective of how high-profile someone might be, we all have a reasonable expectation and a legal right that the information shared will remain private and confidential.

From a data protection law perspective, health records fall into the special category of personal data, which is the most sensitive of personal data. To process special category personal data, the data controller (company or healthcare provider holding the data) must have a lawful basis for processing and, in most cases, needs an Appropriate Policy Document.  As the personal data held and processed will be high risk, a data controller should also consider a risk assessment recorded within a DPIA.  The DPIA requires a data controller to consider what personal data it holds, why, how it is processed, and how it will comply with the data protection legislative framework, such as limiting those who might have access and security.

Criminal offence

Section 170 of the Data Protection Act 2018 makes it a criminal offence to knowingly or recklessly obtain or disclose personal data without the consent of the data controller, s.170(1)(a). It is also an offence to sell the personal data that has been obtained without the consent of the controller in circumstances in which an offence is committed under subsection (1), at s.170(4), and attempting to sell is also a criminal offence, at s.170(5).

The ICO investigation centred on s.170(5).

The ICO’s statement confirmed that it did not find any failings with the healthcare organisation that met the threshold for regulatory enforcement, and the organisation itself confirmed that it had cooperated with the ICO’s investigation. 

How can businesses protect themselves?

As a data controller responsible for processing special category personal data, alongside identifying the lawful basis under articles 6 and 9 of the UK GDPR to lawfully process and having a comprehensive privacy policy, the following you might want to consider as part of your internal processes. 

Storage

Pursuant to Article 5 of the UK GDPR, data controllers have an obligation to ensure that personal data is processed in a manner that ensures appropriate security of the personal data, including protecting against unauthorised or unlawful access.  As a data controller, you should consider how and where personal data, including special categories, is stored.  Systems should be password-protected, with each member of staff having their own unique login, and an ability to create an audit trail of access and or information that may have been downloaded. It may be possible to set an alert to notify of unauthorised or attempted unauthorised access.

Access control

Regularly review access control. Only those employees who require access to the personal data to perform their role should be able to access it.

Be vigilant.  You should regularly review access controls, considering whether these might need to be revised, and be able to confirm that only those authorised employees are accessing certain personal data.

Data Protection Impact Assessment and Appropriate Policy Document

For most data controllers processing special category data, you will need to complete and keep updated an Appropriate Policy Document (which records that the processing of special category data is compliant with your obligations under the UK GDPR) and a Data Protection Impact Assessment (which records a risk assessment to identify and minimise the risk in data processing of a particular project or plan).

Regularly review the two documents, and if something changes within your organisation, update the document.

Policies & staff training

Ensure you have robust policies and procedures in place regarding the handling of data, whether that is client/customer personal data or, as in this case, medical information. Don’t just communicate that information to employees – regularly provide staff training and refresher courses.

Employment impact

Employees who access, disclose or seek to profit from confidential information without authorisation are likely to face disciplinary action. This is due to the serious nature of the conduct, breaching not only data protection regulations but also the trust and confidence in the employee. Breaches like this could amount to gross misconduct

When responding to a suspected misuse of personal data by an employee, organisations should ensure that any concerns are investigated promptly and fairly in accordance with their own disciplinary procedure and the ACAS Code of Practice. This includes (but is not limited to) gathering relevant evidence, providing the employee with an opportunity to respond to the allegation and considering all of the facts before determining an appropriate sanction. The processes that we described above, of having systems that allow for access audit trails, will form part of your evidence gathering.

It is also important to ensure that confidentiality obligations are clearly set out in employees’ contracts of employment, staff handbooks and workplace policies, including informing employees of the potential consequences of misuse. Regular training can further reinforce these obligations and help ensure that employees understand the standards expected of them. Having clear, well-communicated policies places the organisation in a stronger position to defend any challenges raised by employees.  

The policies and processes that an organisation has in place and being able to demonstrate enforcement of those processes and regular training form part of your statutory obligations as a data controller, and will be considered by the ICO should there be a regulatory breach.

As well as taking action against the employee, as a data controller, you must consider your own statutory reporting obligations to notify the ICO, where a notification should be made promptly and within 72 hours of becoming aware of the incident.  You may also need to consider contacting the individual(s) whose personal data may have been unlawfully accessed and informing them of the potential infringement of their legal rights.