Legal help for data breach compensation claims

“The NHS’ data protection obligation” – former NHS employee’s data breach shows the importance of the NHS’ duty to protect our data

Start Your Claim Today!

Your privacy is extremely important to us. Read how we handle your data in our Privacy Policy

The Information Commissioner’s Office (ICO) has prosecuted and fined a former NHS employee, Kayleigh Evans, for the unlawful access of personal information. The fine imposed amounted to more than £1,000.

The former employee of the Solent NHS Trust accessed sensitive medical records of a former girlfriend of her partner without need or proper authority. The ICO’s investigation concluded that Ms Evans accessed the medical records over a ten month period without consent.

Under section 55 of the Data Protection Act (DPA), the ICO has the power to impose monetary penalties on the wrongdoer. In this case, she was fined £400, ordered to pay £683.60 for prosecution costs, and a £40 victim surcharge.

DPA principles

The DPA sets out how sensitive and personal information should be dealt with by organisations, businesses, or the government. Everyone who is responsible for handling data should abide by the data protection principles and ensure that data is:

  • Used fairly and lawfully;
  • Used for limited, specifically stated purposes;
  • Used in a way that is adequate, relevant and not excessive;
  • Accurate;
  • Kept for no longer than is absolutely necessary;
  • Handled according to people’s data protection rights;
  • Kept safe and secure;
  • Not transferred outside the EEA without adequate protection.

NHSBSA legal obligation

In particular, the NHS Business Services Authority (NHSBSA) has a legal obligation to comply with all data protection legislation and procedures for our safety and privacy. The NHS also have the extra burden of complying with guidance from the Department of Health, the Health and Social Care Information Centre, advisory groups to the NHS, and other professional bodies. As shown in the Evans case, penalties may be imposed on NHSBSA employees for non-compliance.

There is no discrimination on which the policy applies, whether it be personal information processed, stored on computer, or in relevant filing systems. In the NHSBSA’s data protection policy, it states that the NHSBSA can permit employees to access records/data only in connection with their work. Ms Evans appeared to have accessed the medical records for personal reasons, which is prohibited.

NHSBSA code of practice

The importance of data protection within the NHS is highlighted in their Code of Practice. All employees must adhere to this code of practice when handling personal data. The two crucial points that I can draw out of this when dealing with personal data is whether there has been consent by the data controller and whether the access to records are for legitimate purposes.

Data protection specialists

The DPA is very relevant to highlight the importance of data protection in our growing digital age. Since the growing use of digital devices, our information has spread across many databases. In parallel to this, there is a growing concern of how our data is secured.

If you believe your personal information has been breached, our dedicated team of data protection lawyers are on hand to assist with your claim.

IMPORTANT: advice on this page is intended to be up-to-date for the 'first published date'.

Request a call back from our team

Fill out our quick call back form below and we'll contact you when you're ready to talk to us.
All fields marked with an * are required.

Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy.
You have the right to object to the processing of your personal data.

First published by Editor on March 28, 2017
Posted in the following categories: Latest and tagged with


“SMEs reportedly not prepared for cyber-attacks” – More and more SMEs are subject to cyber-attacks and are worryingly not prepared for them
“Honesty is the best policy” – Consumers appreciate companies’ transparency in the event of a breach
%d bloggers like this: