The good news is that after reviewing the prosecutions brought by the ICO for DPA violations I have not found a single psychologist who has been prosecuted. There are plenty of the usual suspects — marketing firms, charities, local councils, counsellors, and even the Crown Prosecution Service.
I think this reinforces my assurances to you in our webinars, our video, and these posts that if you follow the fundamental principles of keeping your data safe, minimising how much of it you keep, and always knowing where it is you are unlikely to breach the rules and, therefore, not end up on the carpet before the ICO.
Below is a link to the ICO’s page of enforcement actions. Reading it, even if only in summary, is valuable in gaining a perspective of who frequently violates the regulations, what those violations are, and what the consequences are. Please note that the fines imposed did not approach “break the bank” sort of penalties when individuals were involved.
An Excellent Case Study That Could Happen To YOU!
I found this case to be an excellent resource for people in our line of work. We handle similar data to barristers and solicitors, we often use the same IT infrastructures, and we often rely on help from people who may not be aware of our obligations to privacy. I am familiar with the type of breach that occurred and have, in the past, used the breach when doing investigations into companies for court claims. I leave you to read it, several times, because it can so easily happen to any of us if we depart from the principles.
Taking Data Without Authorisation
A former employee of a community based counselling charity has been prosecuted by the ICO at Preston Crown Court. Robert Morrisey sent spreadsheets containing the information of vulnerable clients to his personal email address without any business need to do so, which was without the consent of the data controller.
11 emails were sent from his work email account on 22 February 2017, which contained the sensitive personal data of 183 people, three of whom were children. The personal data included full names, dates of birth, telephone numbers and medical information. Further investigation showed that he had sent a similar database to his personal account on 14 June 2016.
Mr Morrisey pleaded guilty to 3 offences under section 55 of the Data Protection Act and was sentenced to a 2 year Conditional Discharge, ordered to pay costs of £1,845.25 and a £15 Victim Surcharge.
Accessing Without Need
A former administrator employed by Kent and Medway NHS and Social Care Partnership Trust has been prosecuted by the ICO at Medway Magistrates’ Court.
Nicola Wren accessed the sensitive medical records of a patient who was known to her 279 times in a three week period, without any business need to do so, which was without the consent of the data controller. Ms Wren pleaded guilty to the offence under section 55 of the Data Protection Act and was fined £300, ordered to pay costs of £364.08 and a £30 Victim Surcharge.
A former employee of Colchester Hospital University NHS Foundation Trust, Brioney Woolfe, has been prosecuted at The Colchester Magistrates’ Court. The former Midwifery Assistant pleaded guilty to two offences under section 55 of the Data Protection Act for accessing the sensitive health records of friends and people she knew and disclosing some of the personal information obtained. Ms Woolfe was fined £400 for the offence of obtaining personal data and £650 for disclosing it. Ms Woolfe was ordered to pay prosecution costs of £600 and a victim surcharge £65.
As you can see, the most common breaches likely in our profession will be due to a loss of our ethics i.e. assessing data we shouldn’t, taking data we shouldn’t (perhaps because we are setting up in business), or sharing it as gossip. The most dangerous is probably the one where we don’t know where our data is, as in the case of the barrister, and where we failed to ask those questions of principle that I outlined in another post.
Keep it locked up. Use it for its intended purpose. Stay clean.