A former trainee medical secretary working in a GP practice in England has been fined by a court after admitting to reading patients’ medical records for reasons unrelated to her job role.
Hannah Pepper began work at the Fakenham Medical Practice in August 201,5 where her role required her to access medical records to help doctors, solicitors and insurance companies. She had also been given training on how to securely and ethically handle patient data.
But in October 2017, the practice discovered Ms Pepper had been reading the patient file of one of her work colleagues without their consent. Upon launching an internal investigation, it uncovered that Ms Pepper had illegally accessed the records of 231 patients.
The investigation revealed that some of the records belonged to work colleagues, family and friends, although many were also of the general public.
Ms Pepper admitted to four charges of unlawfully accessing data in breach of section 55 of the Data Protection Act 1998 at Kings Lynn Magistrates’ Court.
In an interview with the Information Commissioner’s Office (ICO) she accepted responsibility and could not justify her actions. She commented that she struggled with the monotony of some of her tasks.
She was fined over £1,000 in total, including costs and a victim surcharge.
ICO criminal investigation group manager Mike Shaw said: ‘People whose job allows them access to confidential and often sensitive information have been placed in a position of trust, and with that trust comes added responsibility.
‘Data protection law exists for a reason and curiosity or boredom is no excuse for failing to respect people’s legal right to privacy. Just because you can do something, that doesn’t mean you should’.
This is not the first time the ICO have brought forward a case like this.
Last year, former midwifery assistant Brioney Woolfe, who worked at Colchester Hospital University NHS Fountain Trust, was ordered to pay fines of over £1,700 at Colchester Magistrates’ Court after pleading guilty to unlawfully obtaining and unlawfully disclosing personal data.
Ms Woolfe had also accessed records of family members and colleagues over a two-year period.