The Times reported at the weekend that various medical and nursing professionals "are being investigated for illegally prying into Sir Alex Ferguson's medical records while he was in hospital fighting for his life in the summer". It is understood that the Salford Royal Hospital staff are suspected of accessing the notes merely to "satisfy their own personal curiosity". The Information Commissioner's Office (ICO) has apparently been informed.
It has long been a feature of UK data protection law that a person who knowingly, or recklessly, obtains or discloses personal data without the consent of the relevant data controller is guilty of an offence (subject to certain exceptions and defences). This is separate to the civil liability of the data controller itself, where the data controller fails to observe its statutory obligation to process personal data in a manner that ensures appropriate security. The "data obtaining" offence (previously at section 55 of the Data Protection Act 1998, and now at section 170 of the Data Protection Act 2018) is normally prosecuted by the ICO (anyone else who wishes to bring a prosecution will need the consent of the Director of Public Prosecutions).
Such prosecutions are relatively rare (the ICO's own statistics suggest it has successfully only brought eighteen in the last two years). However, they present a particular challenge and reputational threat to employers. "Obtaining" personal data does not just mean physical stealing it, but also includes viewing or accessing it, so employers would be well advised to have appropriate technology and systems to monitor who has accessed both computerised and manual records. Furthermore, in circumstances where employees or former employees have physically stolen data, recovery of it can be a complex and expensive process, requiring specialist legal and technology experts.
It remains to be seen whether, firstly, any of the people alleged to have inappropriately accessed Sir Alex's records will be subject to a prosecution, and, secondly, whether the hospital itself (or the Trust that runs it) will be investigated regarding its compliance with its own civil law obligations. However, the story is a timely reminder that there are restrictions as to who can, or should, access sensitive personal data, and potential criminal sanctions for those who do access it without proper cause.
Mishcon de Reya's expert data protection and data theft lawyers can assist and advise organisations who are subject to, or threatened by, unlawful access to and taking of data.