Case Studies

Manager fined in data case

by Mark Rowe

A former manager of a health service based at a council-run leisure centre in Southampton was prosecuted by the Information Commissioner’s Office (ICO) for unlawfully obtaining sensitive medical information relating to over 2,000 people.

Paul Hedges took the information hoping to use the data for a new fitness company he was setting up. He was prosecuted under section 55 of the Data Protection Act at West Hampshire Magistrates Court yesterday and fined £3,000 and ordered to pay a £15 victim surcharge and £1,376 prosecution costs.

Mr Hedges, who previously worked as a Community Health Promotions Manager based at Bitterne Leisure Centre, sent the information to his personal email account in April 2011 after being told that he was being made redundant. The 42 year-old had been responsible for managing the council’s Active Options GP referral service, where patients would be referred by their GP or other health professional to attend fitness sessions, for a range of conditions including obesity, diabetes, arthritis, and cardiac and mild mental health issues.

The information included sensitive medical details relating to 2,471 patients. The council became aware of their former employee’s actions when they received complaints about patients being approached by Mr Hedges; who had since set up a similar service using the Active Options name and branding.

Information Commissioner, Christopher Graham, said after the case: “People have a right to privacy and the ICO works to maintain that right. Nobody expects that their health records will be taken and used in this way. Mr Hedges had been told by Southampton Council about the need to keep patients’ details confidential, but he decided to break the law.

“This case shows why there is a need for tough penalties to enforce the Data Protection Act. At very least, behaviour of this kind should be recognised as a ‘recordable offence’ which it isn’t now. For the most serious cases the current ‘fine only’ regime will not deter and other options including the threat of prison should be available. The necessary legislation for this is already on the statue book but needs to be activated.

“The government must ensure that criminals do not see committing data theft as a victimless crime and worth the risk.”

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing