Thousands of people everyday must copy, save or forward information for innocent or mischievous purposes but now there is a quotable case that can be used to deter such risky activities.
A former manager of a health service based at a council run leisure centre in Southampton has been prosecuted by the Information Commissioner’s Office (ICO) for unlawfully obtaining sensitive medical information relating to over 2,000 people.
Paul Hedges took the information hoping to use the data for a new fitness company he was setting up. He was prosecuted under section 55 of the Data Protection Act at West Hampshire Magistrates Court yesterday and fined £3,000 and ordered to pay a £15 victim surcharge and £1,376 prosecution costs.
Mr Hedges, who previously worked as a Community Health Promotions Manager based at Bitterne Leisure Centre, sent the information to his personal email account on 28 April 2011 after being told that he was being made redundant. The 42 year-old had previously been responsible for managing the council’s Active Options GP referral service, where patients would be referred by their GP or other health professional to attend fitness sessions, for a range of conditions including obesity, diabetes, arthritis, and cardiac and mild mental health issues.
The information included sensitive medical details relating to 2,471 patients. The council became aware of their former employee’s actions when they received complaints about patients being approached by Mr Hedges; who had since set up a similar service using the Active Options name and branding.
Christopher Graham the UK Information Commissioner was quoted as saying:
People have a right to privacy and the ICO works to maintain that right
Nobody expects that their health records will be taken and used in this way. Mr Hedges had been told by Southampton Council about the need to keep patients’ details confidential, but he decided to break the law.
This case shows why there is a need for tough penalties to enforce the Data Protection Act. At very least, behaviour of this kind should be recognised as a ‘recordable offence’ which it isn’t now. For the most serious cases the current ‘fine only’ regime will not deter and other options including the threat of prison should be available. The necessary legislation for this is already on the statue book but needs to be activated.
The government must ensure that criminals do not see committing data theft as a victimless crime and worth the risk.