Health worker breaches Data Protection Act, gets £1500 fine

Breaches of the Data Protection Act, almost commonplace in 2011, continue into the new year of 2012. As has often been the case, the incident reported this week has been another breach involving a health care worker gaining access to records on the centralised systems.

Recently it was reported that the Information Commissioner was going to crack down on the health care sector, as the data held is generally considered amongst the most sensitive information people disclose. It remains to be seen if the ICO crackdown will significantly change behaviour or not.

Yesterday (12 Jan) the Information Commissioner reported:

A former health worker has pleaded guilty to unlawfully obtaining patient information by accessing the medical records of five members of her ex-husband’s family in order to obtain their new telephone numbers.

Juliah Kechil, formerly known as Merritt, a former Health Care Assistant in the outpatients department at the Royal Liverpool University Hospital, was convicted under section 55 of the Data Protection Act at Liverpool City Magistrates Court today. She was fined £500 and also ordered to pay £1,000 towards prosecution costs and a £15 victim surcharge.

In this instance, it appears that the control measures in place at the Royal Liverpool University Hospital were sufficient for the hospital to properly audit the employee’s activity and prevent the ICO issuing a finding against them.

The important lessons for any conscientious business owner are:

  • Make sure your audit and access management systems are sufficient that you can detect misuse and properly identify the guilty party. Failure to implement these measures could leave you liable to a DPA breach rather than the actual perpetrator.
  • Educate your staff on their obligations to protect sensitive data. While this case is about a DPA breach, malicious or negligent employees can compromise any of your data and if it is important to you, you can bet it is important to someone else.

Another benefit of making sure your employees are properly educated on how to behave is that it is a lot better than having to replace them!

Remember, while the ICO fines will only relate to the misuse of personal data, you need to consider how your corporate data is being used. Do you know if your employees are accessing sensitive information (deliberately or negligently) and then allowing this information to leak? If not, then the first you may discover about this is when a competitor beats you to the punch – at which point it is too late and your security is compromised.

Security only works when it is proactive and effectively implemented. Dont try to save money by only spending after the horse has bolted. This is always a mistake.

It really is always in your best interests to develop and implement a robust security plan, and ensure that all your employees are aware of what is expected of them. If you want assistance in developing or implementing such a plan than get in touch with Halkyn Consulting and we will be pleased to work with you on every step of the journey.

Taz Wake - Halkyn Security

Certified Information Systems Security Professional with over 19 years experience providing in-depth security risk management advice to government and private sector organisations. Experienced in assessing risks, and producing mitigation plans, worldwide in both peaceful areas and war zones. Additionally, direct experience carrying out investigations into security lapses, producing evidential standard reports and conducting detailed interviews to ascertain the details of the incident. Has a detailed understanding of the Security Policy Framework (SPF) and JSP440, as well as in depth expertise in producing cost-effective solutions in accordance with legislative and regulatory guidelines. Experienced in accrediting establishments and networks as well as project managing the development of secure, compliant, workable business processes.