ICO warns NHS employees that unlawfully accessing patient records is an offence

The Information Commissioner’s Office (ICO) has reminded NHS staff about the potentially serious consequences of prying into patients’ medical records without a valid reason.                   

The warning came after a former health care assistant was ordered to pay a total of £1,715 in fines and costs after pleading guilty to offences of unlawfully obtaining and unlawfully disclosing personal data.

Colchester Magistrates’ Court was told Brioney Woolfe accessed the medical records of several people without a business purpose to do so while employed as a health care assistant by Colchester Hospital University NHS Foundation Trust.

An investigation, which followed a complaint by a patient, established that Woolfe had accessed the records of 29 people including family members, colleagues and others where no connection with the defendant is known, between December 2014 and May 2016. Some of the information was subsequently shared with others. That was not only a breach of patient confidentiality but also against the Data Protection Act.

Woolfe, 29, of Stour Close, Dovercourt, Essex, was fined £400 for the offence of obtaining personal data, and a further £650 for the offence of disclosing personal data. She was also ordered to pay a contribution of £600 towards prosecution costs, plus a victim surcharge of £65.

The case is one of several ICO prosecutions involving staff illegally accessing health records in recent months and Head of Enforcement Steve Eckersley said:

“Once again we see an NHS employee getting themselves in serious trouble by letting their personal curiosity get the better of them.

“Patients are entitled to have their privacy protected and those who work with sensitive personal data need to know that they can’t just access it or share it with others when they feel like it. The law is clear and the consequences of breaking it can be severe.”


GDPR Summit London is a dedicated event which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.

Further information and conference details are available at http://www.gdprsummit.london/