Information Commissioner's Office
Former health adviser found guilty of illegally accessing patient records
A former health adviser has been found guilty of accessing medical records of patients without a valid legal reason.
Christopher O’Brien, 36, was working at the South Warwickshire NHS Foundation Trust when he unlawfully accessed the records of 14 patients, who were known personally to him, between June and December 2019. He did so without a valid business reason and without the knowledge of the Trust.
One of the victims said the breach left them worried and anxious about Mr O’Brien having access to their health records, with another victim saying the breach put them off from going to their doctor.
Mr O’Brien, of Long Compton, Warwickshire, pleaded guilty to unlawfully obtaining personal data in breach of section 170 of the Data Protection Act 2018 when he appeared at Coventry Magistrates’ Court on 3 August 2022. He was ordered to pay £250 compensation to 12 patients, totalling £3,000.
Stephen Eckersley, ICO Director of Investigations, recently said:
“This case is a reminder to people that just because your job may give you access to other people’s personal information, especially sensitive data such as health records, that doesn’t mean you have the legal right to look at it.
“Such behaviour can be extremely distressing for the victims. Not only is it an invasion of their privacy, it potentially jeopardises the important relationship of trust and confidence between patients and the NHS.
“I would urge organisations to remind their staff about their data protection and information governance responsibilities, including how to handle people’s sensitive data responsibly."
Organisations can find data protection and information governance training and resources on the ICO website.
Notes to Editors
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals. It has its head office in Wilmslow, Cheshire, and regional offices in Edinburgh, Cardiff and Belfast.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five Acts / Regulations.
- The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.
Latest News from
Information Commissioner's Office
Director’s Update – International Day for Universal Access to Information 202228/09/2022 12:25:00
This is the fourth in a series of updates from Warren Seddon, Director of FOI and Transparency.
ICO could impose multi-million pound fine on TikTok for failing to protect children’s privacy26/09/2022 14:10:00
TikTok could face a £27 million fine after an ICO investigation found that the company may have breached UK data protection law, failing to protect children’s privacy when using the TikTok platform.
ICO launches second consultation on the draft Data protection and journalism code21/09/2022 14:10:00
The Information Commissioner’s Office (ICO) has launched a second consultation on a draft code of practice about using personal data for journalism (the code).
Tribute to Her Majesty The Queen09/09/2022 14:20:00
Statement given by John Edwards, Information Commissioner.
ICO takes action against two government departments for failing to comply with the Freedom of Information Act 200009/09/2022 12:25:00
The Information Commissioner’s Office (ICO) has issued an enforcement notice to the Department for International Trade (DIT) and a practice recommendation to the Department for Business, Energy and Industrial Strategy (BEIS), for persistent failures to respond to information access requests within the statutory time limit.
ICO publishes guidance on privacy enhancing technologies07/09/2022 15:15:00
The Information Commissioner’s Office (ICO) has published draft guidance on privacy-enhancing technologies (PETs) to help organisations unlock the potential of data by putting a data protection by design approach into practice.
Halfords fined for sending nearly 500,000 unwanted marketing emails06/09/2022 12:15:00
The Information Commissioner’s Office (ICO) has fined Halfords Limited £30,000 for sending 498,179 unsolicited marketing emails to people without their consent.
“Children are better protected online in 2022 than they were in 2021” - ICO marks anniversary of Children’s code02/09/2022 16:20:00
The ICO is marking the anniversary of the groundbreaking Children’s code, that has changed how children are treated online.
ICO acting against eight individuals over alleged theft of road traffic accident data from garages30/08/2022 14:10:00
The Information Commissioner’s Office (ICO) has commenced criminal proceedings against eight individuals over the alleged unlawful accessing and obtaining of people’s personal information from vehicle repair garages to generate potential leads for personal injury claims.