Data Protection and Freedom of Information Update - January 2014

GP surgery manager prosecuted for unlawfully accessing patients' records

The Information Commissioner's Office ("ICO") has prosecuted a former GP surgery manager for unlawfully accessing the medical records of approximately 1,940 patients, who were registered with the College Practice GP surgery in Maidstone (the "Practice").

Steven Tennison, who appeared at Maidstone Magistrates Court on 3 December 2013, pleaded guilty to unlawfully obtaining personal data under section 55 of the Data Protection Act 1998 ("DPA").

It is an offence under section 55 to "knowingly or recklessly, without the consent of the data controller-

a) obtain or disclose personal data or the information contained in personal data; or
b) procure the disclosure to another person of the information contained in the personal data."

The offence is punishable by a fine only. The fine is unlimited in the Crown Court but it is capped at £5,000 in the Magistrates Court.

It was discovered that between 6 August 2009 and 6 October 2010, Mr Tennison had accessed patients' records on 2023 occasions. Most of the patient records viewed by Mr Tennison belonged to women in their twenties and thirties. One woman's record - reportedly a school friend of Mr Tennison - was repeatedly accessed along with that of her son.

The Practice confirmed that Mr Tennison was only required to access patients' records three times between August 2009 and October 2010, when the Practice Manager was on leave and Mr Tennison needed to investigate a complaint.

Mr Tennison was found guilty of the offence under section 55 of the DPA and was fined £996 and ordered to pay a £99 victim surcharge and £250 prosecution costs.

Stephen Eckersley, the ICO Head of Enforcement said, "We may never know why Steven Tennison decided to break the law by snooping on hundreds of patients' medical records. What we do know is that he'd received data training and knew he was breaking the law, but continued to access highly sensitive information over a 14-month period. The GPs and staff at College Practice GP surgery work hard to maintain the confidentiality of their patients' records. The irresponsible actions of one employee have undermined their work and he is now facing the consequences of his unlawful actions."

Following this decision, the ICO is calling for more effective deterrents against the unlawful use of personal information, including the availability of prison sentences to the Courts.

The case highlights the importance of organisations providing adequate data protection training to employees in order to lessen the risk of a data breach occurring due to human error, while also protecting the employer from liability if an individual employee deliberately misuses personal data held by their employer.

It is advisable for employers to have adequate data protection policy and procedures in place and that all relevant employees are provided with the necessary training. One area which is often overlooked by employers is that of temporary staff.

The ICO has only recently issued a warning to employers on the importance of providing adequate training to their employees, particularly in relation to temporary staff.

An ICO Enforcement Group Manager stated that, "If organisations are employing temporary or agency workers into positions that involve the handling and sending out of personal information then they must make sure these staff have received adequate data protection training."

As well as ensuring that employees have undertaken data protection training, employers should be vigilant to ensure that personal data cannot be stolen or removed from their offices via mobile devices, such as USB keys. Any personal data held on laptops should be securely encrypted, with rules in place to ensure that the movement of laptops from outside of the employer's premises is restricted.

Finally, should the worst happen, employers should have an effective data breach response plan already in place before any incident occurs. Such a response plan should consider the PR and commercial implications of a data breach as well as the compliance steps that the organisation will take.

Recent Decisions

Case Reference: FS50495066
Public Authority: Crown Prosecution Service ("CPS")

The complainant made a request to the CPS for internal communications dating from around the time of the publication of the Hillsborough Independent Panel's report. The CPS disclosed some information, but withheld the remaining information under sections 36(2)(b)(i) and (ii) (inhibition to the free and frank provision of advice and exchange views) and section 41(1) (information provided in confidence) of the Freedom of Information Act 2000 (the "FOIA").

The Commissioner was satisfied that the CPS had applied sections 36(2)(b)(i) and (ii) correctly and the CPS was therefore not required to disclose the information it withheld in accordance with those exemptions.

However, the Commissioner decided that the CPS had not applied section 41(1) correctly. It required the CPS to disclose the information it withheld from the complainant under the section 41(1) exemption.

Case Reference: FS50496832
Public Authority: Home Office

The complainant made a request to the Home Office for a copy of a report on healthcare provision at Campsfield House Immigration Removal Centre (the "IRC"). The Home Office withheld the information, relying on the section 36(2)(c) (prejudice to effective conduct of public affairs) and section 43(2) (prejudice of commercial interests) of the FOIA.

The Commissioner decided that, although both exemptions were engaged, public interest favoured the disclosure of the report.
The Commissioner required the Home Office to disclose to the complainant a copy of the report, ensuring that the copy disclosed had been appropriately redacted to remove all personal information identifying audit team members.

Case Reference: FS50497753
Public Authority: London Metropolitan University (the "University")

The complainant made a request to the University asking where he could access copies of recent minutes produced by the University.

The University's response explained that it had plans to publish the University's Board of Governors' minutes in the future. By virtue of section 22(1) FOIA (information intended for future publication) the University was not obliged to disclose the information requested before those minutes were published.

During the Commissioner's investigation, the University relied on further exemptions in the FOIA in relation to sections of the minutes, including section 30(2)(a)(iv) (investigations and proceedings), section 37(1) (communications with the Royal Household), section 42(1) (legal professional privilege) and section 43(2) (commercial interests).

The complainant did not require the Commissioner to consider the University's reliance on section 43(2), or the University's withholding of bank account numbers referred to in the minutes.
The Commissioner found that sections 22(1), 30(2)(a)(iv) and 42(1) did not apply to the minutes. However, the Commissioner did find sections 37(1) (communications with the Royal Household) applied and decided that it was in the public interest to withhold information that fell within the exemption.

The Commissioner therefore required the University to disclose the requested minutes to the complainant, with the exception of bank account numbers and the information falling under the section 37(1) and 43(2) exceptions.

Case Reference: FS50485593
Public Authority: Brooklands Primary School (the "School")

The complainant made a request to the School for anonymised statistical information concerning the progress of its pupils' reading ability.

The School did disclose the majority of information asked for by the complainant, but used a 'below 3' response where a pupil's reading ability had been assessed at 0,1 or 2, in order to reduce the risk of individual pupils being identified.

The School relied on the exemption in section 40(2) FOIA (personal information), stating that disclosure of the withheld information would contravene the first data protection principle, which requires fair and lawful processing of personal data.
Following the Commissioner's investigation, it was decided that most of the redacted information did not amount to personal data. The Commissioner held that the remaining redacted information fell within section 40(2).

The Commissioner required the School to disclose to the complainant, in unredacted form, the information it held that fell within the complainant's request, with the exception of information that fell within section 40(2).

Case Reference: FS50498552
Public Authority: Dyfed Powys Police (the "DP Police")

The complainant made a request for all emails held by DP Police that referred to a specific individual dating from January 2008.
DP Police informed the complainant that it would exceed the cost limit to confirm to the complainant whether or not it held the information requested and that the exemption under section 12(2) FOIA applied (where the cost of compliance exceeds appropriate limit).

The Commissioner decided that DP Police had correctly applied section 12 by providing a reasonable estimate of the costs associated with complying with the request. However, it had breached section 16(1) FOIA (duty to provide advice and assistance), by failing to provide advice and assistance to the complainant as to how he could refine his request to bring it within the cost limit.

The Commissioner required DP Police to take reasonable steps to advise and assist the complainant in bringing his request within the cost limit.

Send us a message