Former GP surgery secretary fined for reading medical records of 231 patients in two years
A former trainee secretary at a GP surgery has been fined after she admitted unlawfully reading the records of 231 patients in two years.
Hannah Pepper was employed at the Fakenham Medical Practice in Norfolk in August 2015 and her duties included lawfully accessing medical records to assist doctors, solicitors and insurance companies.
However, despite being trained in the legal and ethical requirements for patient confidentiality, the surgery discovered in October 2017 that she had been reading a work colleague’s patient file without consent.
A subsequent investigation by the surgery found that Pepper had illegally accessed 231 patient records with no valid reason. These included colleagues and their families, her own relatives, friends and acquaintances and also members of the public.
In a subsequent interview with the Information Commissioner’s Office (ICO) she accepted she had no justifiable reason for accessing the records and suggested that at times she struggled with the monotony of some of her tasks.
Pepper, aged 23, of Ashside, Syderstone, Norfolk, admitted four charges of unlawfully accessing personal data in breach of s55 of the Data Protection Act 1998 when she appeared at Kings Lynn Magistrates’ Court.
She was fined £350 and was also ordered to pay costs of £643.75 and a victim surcharge of £35.
Mike Shaw, the ICO’s Criminal Investigation Group Manager, said:
“People whose job allows them access to confidential and often sensitive information have been placed in a position of trust, and with that trust comes added responsibility.
“Data protection law exists for a reason and curiosity or boredom is no excuse for failing to respect people’s legal right to privacy. Just because you can do something, that doesn’t mean you should.”
If you need more information, please contact the ICO press office on 0303 123 9070, or visit the media section on our website.
Notes to Editors
- The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018, the General Data Protection Regulation, the Freedom of Information Act 2000, the Environmental Information Regulations 2004 and the Privacy and Electronic Communications Regulation 2003.
- The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- A limited number of criminal enforcement cases – including this case - are still being dealt with under the provisions of s55 the Data Protection Act 1998 because of the time when the breach of the legislation occurred.
- Criminal prosecution penalties are set by the courts and not by the ICO.
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.
Credit reference agency Equifax fined for security breach
European Data Protection Board – Eleventh Plenary session: Guidelines on Codes of Conduct, annex to the Guidelines on Accreditation, annex to the Guidelines on Certification