In the first former health worker Juliah Kechil has pleaded guilty to unlawfully obtaining patient information by accessing the medical records of five members of her ex-husband’s family in order to obtain their new telephone numbers. She had been a Health Care Assistant in the Royal Liverpool University Hospital's outpatients department. She was fined £500 and ordered to pay £1,000 towards prosecution costs, along with a £15 victim surcharge following conviction under s 55 of the Data Protection Act at Liverpool City Magistrates Court. The Commissioner notes that -
Royal Liverpool University Hospital began an investigation in November 2009 when the defendant’s father-in-law contacted the hospital after receiving nuisance calls which he suspected had been made by his former daughter-in-law. Having changed his phone number in July 2009 following unwanted calls from Ms Kechil, he was immediately concerned that there had been a breach of patient confidentially.The Commissioner noted that the ICO - somewhat more positive than the Australian OAIC - "continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information".
Checks by the hospital revealed that all of the patients whose details had been compromised were not at any time under the medical care of Ms Kechil and she had no work-related reasons to access their records. She accessed the information for her own personal gain without the consent of her employer. The accesses were traced through audit trails which were linked to the defendant’s smartcard ID.
In the second response Praxis Care Limited, a care provider with offices in the Isle of Man and Northern Ireland, has "taken action to improve its data protection practices" following a joint ruling by the ICO and the Office of the Data Protection Supervisor (ODPS) for the Isle of Man.
Praxis Care Limited breached both the UK Data Protection Act and the Isle of Man Data Protection Act by failing to keep peoples’ data secure. An unencrypted memory stick, containing personal information relating to 107 Isle of Man residents and 53 individuals from Northern Ireland, was lost on the Isle of Man in August last year. Some of the data was sensitive and related to individuals’ care and mental health. The stick has not been recovered.
Praxis has "now committed to making sure that all portable devices used to store personal data are encrypted", with personal information that is no longer needed being disposed of securely in line with the company’s updated data security guidance. The Commissioner commented that -
Carrying people’s personal information around on an unencrypted memory stick is clearly unacceptable. The fact that some of the personal details stored on the device were out of date and so surplus to requirements makes this breach all the more concerning.A separate undertaking has been signed by the Chartered Institute of Public Relations (CIPR), the organisation whose practitioners tend to advise on the thing to say when clients let personal information go feral.
The ICO will continue to work closely with other data protection regulators where it is clear that a data breach extends across national boundaries.
The CIPR has made a formal undertaking with the ICO over the loss of up to 30 membership forms on a train in May last year. The Institute - nothing like looking ahead, given the frequency of data breaches - did not have a policy in place for handling personal data outside of the office. It has agreed to review its data protection policy and "make sure that it is communicated to staff" by the end of February.
