The Information Commissioner's Office (ICO) has prosecuted a GP surgery manager for unlawfully accessing the medical records of almost 2,000 patients registered with the practice.
37-year-old Steven Tennison was employed by the College Practice GP surgery in Maidstone when he repeatedly viewed information about 1,940 patients between August 2009 and October 2010.
His actions were discovered when the surgery practice manager asked to review Tennison's attendance file, which showed he'd accessed patients' records on 2,023 occasions.
Most of the records viewed related to women in their 20s and 30s and included the repeated snooping on details about a childhood friend of Tennison along with those of her son.
College Practice GP surgery confirmed that during his period of accessing patients records, he was only authorised to do so a total of three times and that was when the Practice Manager was away.
Tennison appeared in Maidstone Magistrates Court today and pleaded guilty to charges of unlawfully obtaining personal data under section 55 of the Data Protection Act. He was fined a total of £996 and ordered to pay a £99 victim surcharge and £250 prosecution costs.
"We may never know why Steven Tennison decided to break the law by snooping on hundreds of patients' medical records," said Stephen Eckersley ICO Head of Enforcement.
"What we do know is that he'd received data training and knew he was breaking the law, but continued to access highly sensitive information over a 14-month period," he continued.
Eckersley added his disappointment has to how one person had undermined the surgery through breaking data protection laws.
"The GPs and staff at College Practice GP surgery work hard to maintain the confidentiality of their patients' records. The irresponsible actions of one employee have undermined their work and he is now facing the consequences of his unlawful actions," he concluded.
Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes
Focus on cost efficiency, simplicity, performance, scalability and future-readiness when architecting your data protection strategy