Media outlets, including the BBC, have indicated that the Information Commissioner's Office (ICO) is assessing reports that patient notes of The Princess of Wales were inappropriately accessed by staff at the "London Clinic".
According to the reports at least one member of staff at the clinic, where The Princess of Wales recently underwent abdominal surgery, "was said to have been caught trying to access" the notes.
Any investigation by the ICO is likely to consider whether a criminal offence might have been committed by an individual or individuals. Section 170 of the Data Protection Act 2018 says that a person commits an offence if they obtain or disclose personal data "without the consent of the controller". Here, the "controller" will be the clinic itself. The ICO themselves have the power to bring prosecutions.
Although there are defences available to someone charged with the offence - such as that they reasonably believed they had the right to "obtain" the personal data, or on grounds of public interest - such defences are unlikely to apply where someone knowingly accesses patient notes for no valid or justifiable reason.
The section 170 offence is (in England and Wales) a "recordable offence" (one where the police may keep a record of a conviction on the police national computer), in contrast to the equivalent offence under the prior Data Protection Act. However, it remains an offence only punishable by a fine. In England and Wales, although the maximum fine is unlimited, there is no possibility of any custodial sentence. Recent prosecutions by the ICO under section 170 have seen a council officer fined for unlawfully accessing social services records, and a tracing agent fined for illegally obtaining personal information to check if customers of a high street bank could repay their debts.
A further area of potential investigation for the ICO will be whether the clinic itself complied with its obligations under the UK GDPR to have "appropriate technical or organisational measures" in place to keep personal data secure (Article 5(1)(f)). Serious failures to comply with that obligation could lead to civil monetary penalties from the ICO, to a maximum of £17.5m (although, in reality, given that such civil "fines" must be proportionate, it is rare that such large sums are even considered by the ICO).
Individuals, such as - in this case - the princess, can also bring claims for compensation under the UK GDPR, and for "misuse of private information", where their data protection and privacy rights have been infringed.
Whatever the outcome from the ICO, anyone working in an environment where they might have access to personal data, particularly of a sensitive nature, should be aware that there are potential criminal law implications arising from unauthorised access, and any organisation holding such information should ensure it has appropriate measures in place to prevent, or at least reduce the risk, of such access.