What happens when your staff ignore their data protection training and access sensitive personal data?
As was widely reported recently, a number of staff at the Salford Royal Hospital accessed the medical records of Sir Alex Ferguson after his treatment this May for a brain haemorrhage.
The hospital have reported that several staff are under investigation “in relation to an information governance breach”. Whilst the hospital have notified the Information Commissioner’s Office (ICO) and apologised to Sir Alex, what other penalties could the hospital face?
Depending upon when the breaches occurred will determine the level of fines that the hospital could face. If it was after 25 May 2018, then the new fines regime will kick in, as will the potential remedy open to Sir Alex.
Looking across Europe for guidance, there was a fine by the Portuguese equivalent of the ICO on a Portuguese hospital of 400.000 € for infringement of the GDPR in July of this year.
Whilst the fine has not been published, according to press reports, the ICO equivalent carried out an investigation at the hospital which revealed that the hospital’s staff, psychologists, dietitians and other professionals had access to patient data through false profiles. The profile management system appeared deficient – the hospital had 985 registered doctor profiles while only having 296 doctors. Moreover, doctors had unrestricted access to all patient files, regardless of the doctor’s speciality. The fine imposed related to the fact that the hospital did not put in place appropriate technical and organisational measures to protect patient data.
Whilst the level of access is not quite at these Portuguese levels, the fact is that employees of the hospital who were not involved in the treatment of Sir Alex had unrestricted access to his sensitive medical records and this of itself would suggest that there were inadequate technical or organisational measures in place to protect patient information. Whilst the hospital may suggest that they have a legitimate interest in allowing unrestricted access to medical information for appropriate medical practitioners, particularly when dealing with emergency medical cases, I suspect that the actions of this small number of employees will highlight the weaknesses in the current system and will prompt some changes. If they were to undertake a Data Protection Impact Assessment and were to implement privacy by design, then tighter access control measures will be a must.
The ICO have indicated that the following factors will be taken into account in determining the level of the fine:-
- Nature, gravity and duration of the failure
- Intention of negligent character of the failing
- Action taken by the organisation to mitigate the damage or distress
- Degree of responsibility of the controller (taking into account technical and organisational measures the company has implemented)
- Previous failures
- Degree of co-operation with the ICO
- Categories of personal data involved
- Manner the ICO found out (i.e. was it self-referral or some other method)
Any fine has to be “effective, proportionate and dissuasive”, so Salford Royal Hospital can expect a fine and can only hope that it is not towards the upper end for a minor data breach (the lesser of up to €10M or 2% of the gross turnover of the hospital).
Turning to the personal claim of Sir Alex, whilst after the event he indicated that “Without those people who gave me such great care, I would not be here today”, it remains to be seen whether or not he has a similar level of gratitude when he realises that his sensitive personal data has been breached. He would be entitled, in terms of the Data Protection Act to seek compensation for non-financial loss, in effect the injury to his feelings.
This is a salutary lesson to all businesses. You provide your staff with access to personal data, in order that they are able to perform their duties and responsibilities as part of their employment, but what consideration have you given to who should be accessing that information and what controls do you have in place to prevent your staff from accessing information they do not need to see. The obligation to have appropriate technical and organisational measures is on you. The obligation to put in place the right data protection policy and to train your staff is on you. Now is perhaps the time to carry out your own review.
For More Information Contact:
Mobile: 07841 920 102
Direct Dial: 0141 530 2023
Mobile: 07973 924 333
Direct Dial: 0141 530 2022
The information and opinions contained in this blog are for information only. They are not intended to constitute advice and should not be relied upon or considered as a replacement for advice. Before acting on any of the information contained in this blog, please seek specific advice from Gilson Gray.