Data Protection in the Spotlight

In Tuesday’s Lancashire Telegraph it was reported that the East Lancashire NHS Trust had eleven cases of staff members unlawfully accessing patient records over a three year period between April 2011 – April 2014. These instances of ‘snooping’ were not taken lightly by the NHS and resulted in the staff members involved being subject to disciplinary hearings, with two receiving final written warnings and another two staff members being dismissed.

The findings are contained within the NHS Data Breaches report published by Big Brother Watch, a campaign group aimed at protecting the individual’s right to privacy and civil liberties. The report sought to highlight the extent of data breaches across the whole of the NHS and a Freedom of Information request was sent to all NHS Trusts and Bodies in order to obtain the information.

The report shows that there have been at least 7,255 data protection breaches nationwide over the three year period, which is equivalent to six breaches every day. Of those breaches, there were at least fifty instances of data being posted on social media and 251 instances of data being inappropriately shared with a third party.

The hospital trust with the highest number of breaches was the South West Yorkshire Partnership NHS Foundation Trust (Mental Health), with 869 breaches over the three year period. However, some trusts declined to respond to the information request, relying on the exemption of excessive cost and time under the Data Protection Act (‘the Act’). Others simply failed to provide any response at all.

The Law

Under current UK law, anyone who processes personal information must comply with the 8 principles of the Act, which requires personal data:

  • to be processed fairly and lawfully
  • to be obtained for one or more specified and lawful purposes and processed in a way which is compatible with that purpose or those purposes
  • to be adequate, relevant and not excessive
  • to be accurate and up to date
  • to be processed in accordance with the rights of the individual under the Act
  • to kept in a secure place
  • not to be transferred to other countries without adequate protection

Powers of the Information Commissioner’s Office (‘ICO’)

Unlawfully obtaining or accessing personal data is a criminal offence. The offence is punishable by way of a fine up to £5000 in the Magistrates Court or an unlimited fine in the Crown Court.

In a recent press release the ICO, the authority responsible for the governance and enforcement of data protection, detailed the prosecution of a pharmacist who had unlawfully accessed the medical records of family members, work colleagues and local health professionals. The pharmacist was tried in the Magistrates Court and received a fine of £1000. He was also ordered to pay a £100 victim surcharge and £608.38 prosecution costs. In another case, a company director was fined £500 for illegally accessing a mobile phone company’s customer database. The director had obtained the information by impersonating a member of the security team of the mobile phone provider during calls and emails to legitimate mobile phone distributors.

The unlawful processing of personal data by employees can also have an impact on the employer. The ICO has the power to impose an monetary penalty notice (‘MPN’) of up to £500,000 on a person (or business) who is responsible for processing personal data (known as a ‘data controller’), where there has been:

a)                  a serious failure to comply with the data protection principles; and

b)                  such failure is likely to cause substantial damage or substantial distress; and

c)                  the failure must have either been deliberate or the data controller must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.

Calls for greater sentencing powers

Whilst the current penalty for breach of the Act is limited to a fine only, there are calls for stronger sentencing powers to deal with the more serious breaches including instances where information is unlawfully obtained and subsequently sold on to third parties.

The ICO reported that deputy PM Nick Clegg supported this idea, saying “The penalties that exist at the moment are pathetic”. This is echoed in the Big Brother Watch report, which includes as a key policy recommendation that custodial sentences should be an available punishment for serious data breaches, a measure which is also backed by the Justice Select Committee, the Home Affairs Select Committee, the Joint Committee on the Draft Communications Data Bill and Lord Leveson.

With the elections looming in the not so distant future, it is possible that these proposals for increased powers could come to fruition relatively soon. With this in mind it is even more important for businesses to be aware of their obligations under the Act and ensure that they have processes in place which are compliant with the data protection requirements.

How businesses can avoid breaching the Act

In order to ensure that your business does not fall foul of the Act, you should consider the following:

  • Do you have policies in place which deal with Data Protection?
  • Have all staff been made aware of the policies and have they received all necessary training?
  • Are all electronic and paper systems which hold personal data secure?

For advice and assistance with producing a data protection policy and for any other data protection matters, contact Daniel Milnes, Forbes’ data protection expert and partner in the Business Law Department.  Alternatively, for advice on how to deal with employees suspected of committing a breach of data protection, please contact our Employment Law Department.


This entry was posted in Corporate & Restructuring, Employment Law and tagged , , , , , .