“Former NHS employee breaches data protection” – The ICO has fined a former employee around £1,300

“Former NHS employee breaches data protection” – The ICO has fined a former employee around £1,300

Sign-up to a data breach claim today - use our quick and easy form to begin your claim for thousands of pounds in compensation.

Start Your Claim
Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

The Information Commissioner’s Office (ICO) prosecuted and fined a former NHS employee, Beverley Wooltorton, for the unlawful access of personal information.

The fine imposed amounted to around £1,300 under section 55 of the Data Protection Act (DPA), where it’s unlawful for individuals to obtain personal data ‘knowingly’ (in this case) or ‘recklessly’ without the consent of the data controller, as well as accessing the information for personal reasons.

Nature of the breach

Ms Wooltorton accessed the medical records of people she knew, including estranged family members, which I’m sure she wouldn’t have gained consent for. As a result of the data breach, the ICO fined her £650 with a £30 victim surcharge and £638.60 to cover prosecution costs.

The data breach is almost identical to that of the case of Kayleigh Evans, where she also accessed medical records for personal reasons. The NHSBSA should ensure that all employees are trained and adhering to DPA principles in the hope that data breaches of this nature will decrease.

DPA principles

The DPA sets out how sensitive and personal information should be dealt with by organisations, businesses, and the government. Everyone who is responsible for handling data should abide by the data protection principles.

This is to make sure the information is:

  • Used fairly and lawfully;
  • Used for limited, specifically stated purposes;
  • Used in a way that is adequate, relevant and not excessive;
  • Accurate;
  • Kept for no longer than is absolutely necessary;
  • Handled according to people’s data protection rights;
  • Kept safe and secure;
  • Not transferred outside the EEA without adequate protection.

NHSBSA legal obligation

In particular, the NHS Business Services Authority (NHSBSA) has a legal obligation to comply with data protection legislation and procedures. The NHS also has the extra burden of complying with guidance from the Department of Health, the Health and Social Care Information Centre, and advisory groups to the NHS.

As shown in the Wooltorton case, penalties may be imposed on NHSBSA employees for non-compliance. The health sector handles the most sensitive of personal data, and it’s arguable that the NHSBSA’s legal obligation should be greater.

There is no discrimination on which the policy applies, whether it be personal information processed, stored on computers, or in relevant filing systems. In the NHSBSA’s data protection policy, it states that the NHSBSA can permit employees to access the records/data only in connection with their work. Ms Wooltorton seemed to have accessed the medical records for personal reasons, which is entirely prohibited.

NHSBSA code of practice

The importance of data protection within the NHS is highlighted in their Code of Practice. All employees must adhere to this code of practice when handling personal data. The two crucial points that I can draw out of this when dealing with personal data is whether there has been consent by the data controller, and whether the access to records are for legitimate purposes.

Data protection specialists

The DPA is very relevant to highlight the importance of data protection in our growing digital age. Since the growing use of digital devices, our information has spread across many databases. In parallel to this, there is a growing concern of how our data is secured.

If you believe that your personal information has been breached, our dedicated team of data protection lawyers can be on hand to assist you in your claim. We have represented a number of clients in near-identical claims to the Beverley Wooltorton case, and have been successful in helping them claim for what’s happened.

Start Your Claim

You can call our claims team free from a landline or mobile on 0800 634 7575 or click on the link below to create a call back with one of our expert Data Claims team.Information on how we handle your data is available in our Privacy Policy.

We offer genuine No Win, No Fee agreements for our clients. Why we do this is simple:

Leading Data Breach Lawyers
Our experience speaks for itself.
We will fight for your right to compensation.
Access to Justice
As a victim of a data breach or hack, you deserve your chance to get access to justice.
Risks Assessment
We carefully risk assess your case and take it on if we think we have a good chance of winning the claim.

Request A Callback From Our Team

Fill out our quick call back form below and we'll contact you when you're ready to talk to us.

Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

Contact is © of Your Lawyers Limited - we are 'Authorised and Regulated by the Solicitors Regulation Authority (SRA number 508768)'
arrow-up icon