Unless Trust colleagues are involved in the direct care of a patient, or the administration of that care, then there is absolutely no reason why they should be accessing any healthcare record.
Not only is this wholly unprofessional and a clear breach of patient confidentiality, it is also illegal. Under the UK General Data Protection Regulations (UK GDPR), specifically Article 5(1)(a), such unlawful access or disclosure of personal information is considered to be data theft and is a criminal act.
The Information Commissioner’s Office (ICO) has the authority to take action against individuals who have committed such an offence under the UK GDPR, which may lead to a substantial fine and prosecution.
It is also a criminal offence, under the same legislation, for colleagues to access their own healthcare record held by the Trust. The Trust is the data controller and effectively “owns” this information and accessing it without consent is illegal. If Trust colleagues would like to see their healthcare record they should follow the same process that is in place for patients, namely the data subject access request (DSAR) procedure.
This legislation goes hand in hand with the Caldicott principles for handling personal information, in particular principles 4 and 6.
Principle 4 - Access to patient identifiable information should be on a strict need-to-know basis.
Principle 6 - Understand and comply with the law.
Access to all electronic Trust systems that hold patient information is audited, so it is quite straightforward for our IT colleagues to see who has accessed a patient record, when they have accessed it and what the purpose of that access was.
Healthcare information can be extremely sensitive and patients put their faith in us to look after and protect this information from unauthorised access. They are aware that various professionals within the Trust will of course require access to their healthcare record to provide them with the best care possible, but do not expect their record to be accessed by colleagues who are not involved with their care.
Not only will such instances of unauthorised or inappropriate access result in severe penalties for the individuals concerned, it will also reflect badly on the Trust itself and could even result in a fine of up to £17.5 million, or 4% of our total annual turnover, whichever is higher under UK GDPR Article 83(5)(a).
Colleagues should think twice before accessing any records relating to patients’ healthcare where they are not directly involved in delivering this care or its associated administration. As well as facing disciplinary action from the Trust that may result in them losing their job, they may also be struck off their respective professional register. They may also find themselves facing a court case which could result in a hefty fine and a criminal record.