Curiosity can be a great thing. However, it can get the better of some people.
This can enter into dangerous territory.
Staff in GP surgeries may think they are not doing anything that bad when they snoop on the records of family, friends, neighbours or acquaintances, but it can bring about potentially serious consequences.
Just last year, the Information Commissioner’s Office (ICO) reported how a former nurse at Southport and Ormskirk Hospital NHS had inappropriately accessed patients’ medical records without permission. She admitted unlawfully obtaining and disclosing personal data and was fined and ordered to pay costs and a victim surcharge.
For GP surgeries, this type of behaviour damages the relationship of trust and confidentiality between patients and the NHS. It needs to be avoided at all costs and dealt with quickly when it does happen.
How can employers prevent employees prying on patient records?
From a HR and Employment Law perspective, the first thing to do is make sure employees know about your data protection policy. Make sure they know their responsibilities and the consequences if they fall short.
In your policy, you should reserve the right to:
- Look at the contents of all incoming and outgoing work emails
- Browse the history of the web pages using work devices
- Have a call recording system in place (for example, for training, quality or service delivery purposes).
This may put employees off accessing and using data and also help you investigate matters if you suspect a breach.
Employees are under an implied duty of fidelity. This means that if an employee does use or disclose confidential information without your permission, it could be considered to be gross misconduct and pave the way for summary dismissal. As always, look to an Employment Law company to make sure you are on the right side of the law when dismissing.
If you notice someone covertly scanning or photocopying data or copying files onto an external drive, you can apply for an injunction to secure and recover the data that has been stolen.
Additionally, you can also have a policy outlining rules about accessing patient records, highlighting that the employee cannot access the records of relatives. You may also decide to include in the policy that employees should declare if relatives are patients so you can be alert to any unusual activity on those records.
What can employers do if there has been a breach?
The EU General Data Protection Regulations came into force on 25th May 2018, bringing about key changes to data protection rules. In cases of data breaches, for example unauthorised access to personal data which is likely to result in a risk to the rights and freedoms of individuals, businesses must notify the ICO without undue delay and where possible no later than 72 hours after the breach.
The ICO guidance states that that “All health service organisations in England must now use the Data Security and Protection Incident Reporting tool (the incident reporting tool for the NHS in England). This will report SIRIs (Serious Incident Requiring Investigation) to the NHS Digital, Department of Health, ICO and other regulators.”