The ICO recently prosecuted Paul Hedges, a former leisure centre manager, for unlawfully obtaining sensitive medical information relating to 2,471 patients. Hedges was charged £3,000 and ordered to pay a £15 victim surcharge and £1,376 costs. Hedges set up a fitness company having received a redundancy notice from Southampton Council. To promote his new company he forwarded sensitive patient records to himself.
The ICO was satisfied with the Council's data security measures which allowed only relevant employees, including Hedges, to have access to sensitive data. By forwarding the data to himself Hedges was seen to be 'on a frolic of his own' as this was not permitted by the Council.
This case highlights the ICO's willingness to clamp down on individuals who exhibit a blatant disregard for data protection laws: Hedges was told specifically to keep patient details confidential.
The ICO's view is that this case highlights the need for custodial sanctions and not just fines for individuals who blatantly disregard data protection laws.
Employers should take care to educate and inform their employees about their personal responsibilities to comply with data protection policies. This case shows the benefit to employees of having robust and effective data protection policies and procedures in place. The Council was able to avoid liability for its delinquent employee's actions.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.