Personal data must be safe from prying eyes

By Mike Shaw, Enforcement Group Manager.

BLUEFOLDERHAndJust because you can, doesn’t mean you should.

Most people are familiar with this phrase, but what is its relevance in the world of data protection?

Put simply, just because your job may give you access to other people’s personal information, that doesn’t mean you have the legal right to look at it, let alone share it. In fact, doing so without a valid reason or the knowledge of your employer is a criminal offence and could lead to prosecution by the Information Commissioner’s Office and a day in court.

The consequences don’t stop there. If found guilty, you’ll face a fine and possibly have to pay prosecution costs. The court case will likely be covered by local media and the details played out over the internet. Not only could you lose your job, but your future employment prospects could be irreparably damaged too.

Careers and reputations can be destroyed over nothing more than simple nosiness or personal curiosity.

So far this year, we have secured eight convictions against NHS employees who were caught prying into the medical records of patients, friends, colleagues or other people they knew without a valid or legal reason.

Such behaviour can be extremely distressing for the victim. Not only is it an invasion of their legally ensured fundamental right to privacy, it potentially jeopardises the important relationship of trust between patients and the NHS and can be damaging to the reputation of the health service as a whole.

Yet the NHS still finds employees ignoring all their training and breaking the law, in this case s55 of the Data Protection Act 1998.

The law exists for a reason. People have rights over how their data is processed, especially sensitive data like health records. It is only right that people’s privacy is protected and, when it is not, the ICO will take action against those responsible.

Of course, this issue is not unique to the NHS. In 2017, we have also prosecuted cases involving employees in local government, charities and the private sector, the latter cases often involving an element of financial gain.

At the moment, s55 offences can only be punished with a fine – the eight convictions this year attracted fines and costs totalling more than £8,000 – but in the future, we would like to see custodial sentences introduced as a sentencing option for the courts in the most serious cases.

A related press release has been published today.

mike-shawMike Shaw heads the ICO’s Criminal Investigations Team, responsible for investigating criminal breaches of the Data Protection Act and Freedom of Information Act. These include offences such as unlawfully obtaining and disclosing personal data.


This entry was posted in Mike Shaw and tagged , , . Bookmark the permalink.

11 Responses to Personal data must be safe from prying eyes

  1. Jacky York says:

    Hi my understanding that at the moment the UK DP bill going through Parliament doesn’t include the Section 55 sanctions. Can you confirm this? And are they plans afoot to keep this criminal aspect after May next year?

  2. Hi mike, lovely to see you online…long time no speak! I’m now a cyber protect officer at Titan, the north west Rocu- drop me a line and let’s try and meet up.

  3. Anonymous says:

    The ICO has not enforced the Data Protection Act 1998 or the Freedom of Information act their two main roles. Personal data is being fraudulently manipulated by companies (Data Controllers) to assist themselves by embellishing falseness because debts are assets on company balance sheets, but more crucially the Financial Service Providers /Banks.
    The vehicle is ‘late payment markers that are contrived’ Companies add these to customer accounts when should be allocated as ‘internal billing errors in- house.
    When challenged companies will instantly remove.
    Challenge the Credit Agency and they will ‘decline to comment’
    It’s a complete mess because of the inability of the ICO.

  4. Barry Shiel says:

    ICO will take action, what a joke!
    You must be a comedian Mike Shaw, or ain’t got a clue what is really going on!

  5. Barry Shiel says:

    Would you like to tell everyone about the security breach case related to unlawful disclosure in unwarranted circumstances which was not necessary that you have had escalated to the ICO.
    The one related to Mr P case, investigation complaint reviewers 2015/2016 annual report page 9.
    Or the ICO annual report 2015/2016 page 24, data protection issues paragraph 2. Where ICO confirm data recorded is disproportionate, but still have not done anything to disassociate that person who has never so much as been arrested in his life, and was not employed, as a result of retention and disclosure.

  6. Fatiha Abali says:

    Thank you for this article, a real eye opener!

  7. Anonymous says:

    Steven Bailey

  8. Pingback: ICO pushes for jail phrases for private knowledge snoops – Magnerd

  9. Neil says:

    The ICO avoid prosecuting at all costs

  10. Markb says:

    Yes, it is very essential. Data must be accurate, kept safe and secure as particularly now a days many businesses are investing millions together for data protections aspects.

  11. Pingback: GDPR Friday Roundup – 8th December 2017 – The Data Guardians

Leave a Reply