In a recent case, Plymouth Hospital NHS Trust was ordered to pay compensation to a patient after one of its employees unlawfully gained access to the man’s medical records. The nurse who accessed the data was the man’s partner at the time. The patient claimed that the breach of the Data Protection Act 1998 (DPA) and the way his subsequent complaint regarding the matter was handled had made worse a pre-existing paranoid personality disorder and prevented him from working. He was awarded damages of £12,500 for exacerbation of his pre-existing medical condition and £4,800 for loss of earnings.
In a second case, a former health worker at the Royal Liverpool University Hospital pleaded guilty to unlawfully obtaining patient information by accessing the medical records of five members of her ex-husband’s family so that she could obtain their new telephone numbers.
The matter came to light when a man contacted the hospital after receiving nuisance calls which he suspected had been made by his former daughter-in-law. He had previously changed his phone number following unwanted calls from her and was immediately concerned that there had been a breach of patient confidentiality. Checks by the hospital revealed that none of the patients whose details had been compromised were at any time under the woman’s care and she had no work-related reasons to access their records. She had accessed the information for her own purposes without the consent of her employer and was fined £500 for breach of the DPA and also ordered to pay £1,000 towards prosecution costs and a £15 victim surcharge.
Meanwhile, the European Commission has announced proposals for significant reform of data protection legislation. The Information Commissioner’s initial response to the proposals can be found on the website of the Information Commissioner's Office.