Employee fined for unlawfully obtaining health information

A former manager of a health service based at a council-run leisure centre in Southampton has been prosecuted by the Information Commissioner’s Office (ICO) for unlawfully obtaining sensitive medical information of more than 2,000 people.

It was revealed that Paul Hedges procured the information hoping to use the data for a new fitness company he was setting up, and was yesterday (22 May 2013) prosecuted under section 55 of the Data Protection Act at West Hampshire Magistrates’ Court. He was fined £3,000 and ordered to pay £1,376 in prosecution costs.

The Court heard that Mr Hedges sent the information to his personal email account on 28 April 2011 after being told that he was being made redundant.

In his role as a Community Health Promotions Manager at Bitterne Leisure Centre, Mr Hedges was responsible for managing the council’s Active Options GP referral service, where patients would be referred by their GP or other health professional to attend fitness sessions, for a range of conditions including obesity, diabetes, arthritis, and cardiac and mild mental health issues.

Get our essential weekday HR news and updates. Instagram This field is for validation purposes and should be left unchanged. Work Email Keep up with the latest in HR... This field is hidden when viewing the form Optin_form This field is hidden when viewing the form Optin_date Year Month Day This field is hidden when viewing the form Batch_Newsletter

The information that Mr Hedges attained included sensitive medical details relating to 2,471 patients and the council became aware of their former employee’s actions when they received complaints about patients being approached by Mr Hedges; who had since set up a similar service using the Active Options name and branding.

Following the ruling, Information Commissioner, Christopher Graham, said:

“People have a right to privacy and the ICO works to maintain that right.

“Nobody expects that their health records will be taken and used in this way. Mr Hedges had been told by Southampton Council about the need to keep patients’ details confidential, but he decided to break the law to benefit his new business.”

He continued:

“This case shows why there is a need for tough penalties to enforce the Data Protection Act. At very least, behaviour of this kind should be recognised as a ‘recordable offence’ which it isn’t now.

“For the most serious cases the current ‘fine only’ regime will not deter and other options including the threat of prison should be available. The necessary legislation for this is already on the statue book but needs to be activated.”

He concluded:

“The Government must ensure that criminals do not see committing data theft as a victimless crime and worth the risk.”