16 November 2017
Just because you can, doesn’t mean you should.
Most people are familiar with this phrase, but what is its relevance in the world of data protection?
Put simply, just because your job may give you access to other people’s personal information, that doesn’t mean you have the legal right to look at it, let alone share it. In fact, doing so without a valid reason or the knowledge of your employer is a criminal offence and could lead to prosecution by the Information Commissioner’s Office and a day in court.
The consequences don’t stop there. If found guilty, you’ll face a fine and possibly have to pay prosecution costs. The court case will likely be covered by local media and the details played out over the internet. Not only could you lose your job, but your future employment prospects could be irreparably damaged too.
Careers and reputations can be destroyed over nothing more than simple nosiness or personal curiosity.
So far this year, we have secured eight convictions against NHS employees who were caught prying into the medical records of patients, friends, colleagues or other people they knew without a valid or legal reason.
Such behaviour can be extremely distressing for the victim. Not only is it an invasion of their legally ensured fundamental right to privacy, it potentially jeopardises the important relationship of trust between patients and the NHS and can be damaging to the reputation of the health service as a whole.
Yet the NHS still finds employees ignoring all their training and breaking the law, in this case s55 of the Data Protection Act 1998.
The law exists for a reason. People have rights over how their data is processed, especially sensitive data like health records. It is only right that people’s privacy is protected and, when it is not, the ICO will take action against those responsible.
Of course, this issue is not unique to the NHS. In 2017, we have also prosecuted cases involving employees in local government, charities and the private sector, the latter cases often involving an element of financial gain.
At the moment, s55 offences can only be punished with a fine – the eight convictions this year attracted fines and costs totalling more than £8,000 - but in the future, we would like to see custodial sentences introduced as a sentencing option for the courts in the most serious cases.
A related press release has been published today.
Mike Shaw heads the ICO’s Criminal Investigations Team, responsible for investigating criminal breaches of the Data Protection Act and Freedom of Information Act. These include offences such as unlawfully obtaining and disclosing personal data.