ICO prosecutes rogue GP surgery manager

News by Steve Gold

A rogue GP surgery manager has been successfully prosecuted by the Information Commissioner's Office for illegally accessing patients' medical records.

A manager who oversaw the finances of a GP's practice in Maidstone has been prosecuted by the ICO after accessing the medical records of around 1,940 patients registered with the surgery.

A 37-year-old man has pleaded guilty to charges of unlawfully obtaining personal data at the GP surgery where he worked. He has been fined a total of £996 and ordered to pay a £99 victim surcharge plus £250 prosecution costs.

Steven Tennison's offences - which were illegal under s55 of the Data Protection Act - came to light in October 2010 when he GP Practice Manager was asked to review his attendance file, as well as his accesses of the surgery's patient records system.

This showed that between August 2009 and October 2010 he had accessed patients' records on a total of 2,023 occasions, most of which related to women in their 20s and 30s, and were unauthorised.

Commenting on the case, Stephen Eckersley, the ICO's Head of Enforcement, said that, whilst we will never know why Tennison decided to break the law and snoop on hundreds of patients' medical records, we do know that he had received data training - and knew he was breaking the law.

"The GPs and staff at College Practice GP surgery work hard to maintain the confidentiality of their patients' records. The irresponsible actions of one employee have undermined their work and he is now facing the consequences of his unlawful actions," he said.

Security analyst Nigel Stanley, CEO of Incoming Thought, told SCMagazineUK.com that the case highlights the potential problem of rogue employees, which he says is a difficult security issue to mitigate against.

It also, he says, highlights the importance of developing an effective incident response for those security situations where the worst happens, and data - and/or IT systems - are compromised.

"There are really two types of incident that you need to prepare for: either one caused by an incompetent member of staff, or a deliberate act by an employee who is competently malicious," he said.

"My advice to any organisation - including a GP's practice like this one - is to put systems in place to not only prevent a system being compromised, but also to deal with the aftermath if things go wrong," he added.

These systems, he explained, include good security hygiene, a good security firewall, an effective security plan and multiple layers of technology.

On top of this, he told SC, you also need to have good staff training and a statement of security governance that all employees must agree to.

As part of the security planning, he says, there also needs to be an effective data breach incident response plan. This needs to be in place, he adds, before any incident takes place.   

"The planning process will include issues such as a risk assessment and the likelihood of something happening, as well as arranging with competent third party organisations for the provision of services, such as digital forensics, legal input and an effective public relations plan," he said, adding, “Use of affective PR, allows an organisation to ensure that its message gets across well following an incident.

"This includes effective crisis management and communications with everyone involved about what the organisation is doing to remediate the situation," he explained.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews