We have previously written about a departing employee who breached the Data Protection Act 1998 by taking contact details of clients with her to her new role – resulting in her being left with a criminal record. Section 55 of the 1998 Act stated that a person who obtains personal data, knowingly or recklessly, without the consent of the data controller (in this case, the employer), is potentially guilty of a criminal offence. In 2018 the Data Protection Act 1998 was replaced by the Data Protection Act 2018 (DPA), and the old section 55 is now section 170 DPA. While the section numbers are different, the principle remains the same - employees who obtain personal data may still be guilty of a criminal act.
Christopher O’Brien, a former health advisor, is the latest person to fall foul of section 170 of the DPA. Mr O’Brien obtained the personal data of 14 patients, who he knew personally, from South Warwickshire NHS Foundation Trust. He obtained this personal data throughout the course of his employment, without his employers’ knowledge or consent.
It is likely that Mr O’Brien accessed the personal data of the 14 patients for reasons of personal curiosity, as there was no legal reason for him to have access. On 3 August 2022 he pleaded guilty to six counts of unlawfully obtaining personal data at Coventry Magistrate’s Court and was ordered to pay £250 compensation to each of the data subjects.
Although in this case Mr O’Brien suffered the consequences of his actions, employers will also need to bear in mind their own responsibilities. Articles 5(1)(f) and 32 of the GDPR put obligations on the data controller (usually the employer) to ensure that measures are in place to prevent data being unlawfully accessed in the first place. Article 5(1)(f) states that personal data should be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing…”, while Article 32 states that “the controller … shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.
In many roles employees will need access to personal records in order to carry out their roles (in which case it is difficult for employers to ensure that such data is not accessed in the way Mr O’Brien did). However, employers should nevertheless be mindful that steps still need to be taken as far as possible to prevent cases such as that of Mr O’Brien, e.g. putting in place the usual training, logging of data access, access control policies and procedures etc. And of course, as a final concern, employers still need to think about the spectre of vicarious liability despite the helpful Supreme Court case of Morrisons (Lewis Silkin - Morrisons not liable for misuse of personal data by rogue employee).
“This case is a reminder to people that just because your job may give you access to other people’s personal information, especially sensitive data such as health records, that doesn’t mean you have the legal right to look at it.”