Blog details

Unlawfully obtaining personal data results in the prosecution of former Health Advisor

Unlawfully obtaining personal data results in the prosecution of former Health Advisor

A former Health Advisor pleaded guilty to, and was prosecuted for unlawfully obtaining personal data, and was ordered to compensate his victims. 


A former Health Advisor has been prosecuted for obtaining the personal data of service users, particularly patients of South Warwickshire NHS Foundation Trust. He was found guilty of accessing the medical records of patients without a valid legal reason.While working at the South Warwickshire NHS Foundation Trust, he unlawfully accessed the records of 14 patients, all of whom he knew personally. These records were accessed between June and December 2019, without a valid business reason and without the knowledge of his employer, the NHS Foundation Trust.


The former Health Advisor pleaded guilty and was ordered to compensate each victim, for a breach that they say left them feeling anxious. 


On August 3rd, 2022 former Health Advisor, Christopher O’Brien appeared before Coventry Magistrates’ Court and pleaded guilty to 6 counts of unlawfully obtaining personal data, violating s170 of the Data Protection Act 2018. He was ordered to pay £250 compensation to each data subject, totalling £3,000. According to one of the victims, the breach left them worried and anxious about Mr O’Brien having access to their health records. Another victim mentioned that the breach put them off from going to their doctor.


The ICO Director of Investigations believes that this should be taken as a lesson and a reminder to employees with access to personal data. 


Stephen Eckersley, ICO Director of Investigations, said in a statement “Such behaviour can be extremely distressing for the victims. Not only is it an invasion of their privacy, it potentially jeopardises the important relationship of trust and confidence between patients and the NHS.” He advises organisations to remind their staff about their data protection and information governance responsibilities. This includes how they should handle people’s sensitive data, and that they should do so responsibly. He believes this case should serve as a reminder to people that just because your position may allow you access to other people’s personal information, particularly special category data as is the case with health records, this doesn’t give you the legal right to look at it.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Prev post
La autoridad de control de Irlanda retrasa su decisión final sobre Meta Platforms
August 16, 2022
Next post
La obtención ilegítima de datos personales deriva en un proceso contra un asesor de salud
August 18, 2022

Leave a Comment