Paul Hedges managed the council-run Active Options GP referral service at the Bitterne Leisure Center, Southampton. This service allowed local GPs to refer patients with certain health conditions (such as obesity, diabetes, arthritis, and cardiac and mild mental health issues) to the leisure center for fitness training. The process required the transfer of some medical notes from the GP to the leisure center.
When made redundant, Hedges decided to use the personal medical records he was able to access via the council service to help establish his own company under the same Active Options name and branding, and emailed the data to himself. But he came unstuck when he tried to use that data – some of the patients he tried to recruit to his new business complained to the council. The council in turn reported the matter to the Information Commissioner, and the Information Commissioner investigated and prosecuted Hedges.
Yesterday at West Hampshire Magistrates Court he was fined £3,000 and ordered to pay a £15 victim surcharge and £1,376 prosecution costs. Information Commissioner Christopher Graham used the incident to press his campaign for tougher sanctions. “This case shows why there is a need for tough penalties to enforce the Data Protection Act,” he said. “At very least, behavior of this kind should be recognized as a 'recordable offense' which it isn't now. For the most serious cases the current 'fine only' regime will not deter and other options including the threat of prison should be available. The necessary legislation for this is already on the statue book but needs to be activated.”
Generally speaking, the Data Protection law holds the ‘data controller’ accountable for data protection – which would be the council rather than Hedges. In this instance, an ICO spokesman told Infosecurity that it considered that the council had taken adequate precautions to protect the data, including limiting access to those with a ‘need to know’. Hedges, however, had that need for access, and the ICO decided that it was his illegal act rather than any negligence on the part of the council that was to blame.
The spokesman also pointed out, however, this does not release other companies from taking greater security precautions. It could be suggested that the council could use a monitoring system that would have highlighted the exfiltration of the data at the time of Hedges’ email to himself. However, the spokesman stressed that the ICO looks at each case on its own merits. In this instance it decided that since the Leisure Center does not in the normal course of events hold sensitive personal data, it had indeed taken reasonable precautions and was not liable under the Data Protection Act. “We would expect other organizations that might hold such sensitive personal data in the normal course of their business to take greater security precautions,” he told Infosecurity.