The Hollybrook Medical Centre data breach is another example of an employee (or former employee in this case) who has abused their rights of access to data.
In this case, former GP Practice Manager, Shamim Sadiq, was suspended and dismissed on unrelated matters from the Hollybrook Medical Centre in November 2017. The day after the suspension came into force, Sadiq reportedly accessed her work email account and committed a data breach by sending information to her personal email address.
The reason she was able to still access the account was because she was also employed as an advisor for the Care Quality Commission. She therefore still had access to her NHS email account.
How the Hollybrook Medical Centre data breach was discovered
The Hollybrook Medical Centre data breach incident committed by Sadiq was discovered when a member of staff was given access to Sadiq’s account after her suspension. The email forwarding was discovered, and Sadiq was duly referred to the Information Commissioner’s Office (ICO) for the breach.
The data that was misused was information relating to 13 application forms for vacancies at the Practice. The misused data included names, addresses, email addresses, National Insurance numbers and the information of referees.
There was no lawful reason for the data to have been forwarded to her personal email address.
What are the lessons to be learned here?
Ultimately, the Hollybrook Medical Centre data breach incident happened because of the illegal actions of a former employee. Sadiq retained access to her NHS account as a result of her special advisory role to the CQC.
So, could it have been stopped?
There could be the argument that, as she still had access to the account, there was nothing that could have been done. In the alternative, perhaps the Practice ought to have foreseen that an incident could occur on the basis that she would still have access to her account.
Ultimately, this is another case of an NHS employee abusing their rights to the data that they can access. We represent a lot of people who claim NHS data breach compensation because of how common incident can occur. Incidents where employees have abused their right of access to information is not an uncommon problem.
Aftermath of the Hollybrook Medical Centre data breach
As a result of the Hollybrook Medical Centre data breach that Sadiq committed, she appeared at Derby Magistrates Court. Sadiq admitted to unlawfully accessing personal data and has been ordered to pay fines and costs of over £500.00.
Speaking about the incident, the ICO’s Steve Eckersley said:
“People have a right to expect that their personal data will be handled securely. NHS staff have access to great deal of personal sensitive data and are therefore in a position of trust. Ms Sadiq betrayed this trust.
She was an experienced practice manager and had completed relevant training in line with NHS guidelines so would have been aware of appropriate practices in terms of handling personal data.”
IMPORTANT: advice on this page is intended to be up-to-date for the 'first published date'.
Request a call back from our team
Fill out our quick call back form below and we'll contact you when you're ready to talk to us.
All fields marked with an * are required.