Illegal access to personal data by staff is a common risk

A former staff advisor at the South Warwickshire NHS Foundation Trust was found guilty of accessing patient records without a valid legal reason, highlighting that staff access to personal data, contrary to section 170 of the Data Protection Act 2018, is a risk common to every organisation.

In this case, Christopher O’Brien was working at the South Warwickshire NHS Foundation Trust in 2019 when he unlawfully accessed the records of 14 patients, who were personally known to him. He did so without a valid business reason and without the knowledge of the Trust.

On 3 August 2022, he pleaded guilty at the Coventry Magistrates’ Court and was ordered to pay £250 compensation to 12 patients, totalling £3,000.

Stephen Eckersley, ICO Director of Investigations, highlighted the broader significance of this case when he said: “This case is a reminder to people that just because your job may give you access to other people’s personal information, especially sensitive data such as health records, that doesn’t mean you have the legal right to look at it.”

He continued “I would urge organisations to remind their staff about their data protection and information governance responsibilities, including how to handle people’s sensitive data responsibly.”

For information on Privacy Laws & Business data protection law training services, e-mail