This is a rare event indeed: a data subject has taken successful action for compensation under section 13 of the Data Protection Act. Normally what happens if a data controller has caused damage is that there is an out-of-court settlement with a gagging (sorry "confidentiality") clause so no-one is the wiser. The claimant …
If you have nothing to hide you've never had an ex?
No, no, Mycho
"If you have nothing to hide you've never had an ex?"
If you have nothing to hide you've never had a wife?
So, nothing for the illegal access?
The article explains that the sums awarded were for the losses the victim sustained as a result of the access to his records - but no mention is made of any award as a consequence of the unauthorised access itself.
So if you or I had our medical records downloaded (by a partner, stalker, nosey bugger or just randomly), but we didn't suffer any losses as a result, this story doesn't sound like we'd be eligible for any remuneration.
It would be interesting to know if the person who accessed this information has been prosecuted and punished for their acts.
I see your point...
...but this is a civil action and in such actions damages are generally awarded to compensate for loss or harm rather than to punish; consequently it's unsurprising that the damages were calculated upon the basis that they were.
You are correct. The Data Protection Act allows for compensation if you have suffered a financial loss only. You get nothing if it is distress alone that was caused.
Who's in charge of security at the facility? Have they been fired?
And how much time and money and person-hours has been spent in court costs for the guy's 12,500quid compensation? Was it worth it?
Again, have they been fired?
I hope not
Authorised people looking at data they shouldn't is not really a security problem. Provided the access logs were in good shape I'd say the security team were pretty much in the clear. The app designers might have some questions to answer about granularity of access control.
Ideally there'd be an alert for accessing non-current patient records, but that sort of control can be frustrated by all sorts of organisational issues, poor identity management etc, and it's sadly not that common.
I don't see anyone getting sacked for this. I can imagine someone getting budget for more sophisticated log monitoring.
I expect the nurse has been disciplined (presumably meaning she lost her job). Medical confidentiality is taken pretty seriously.
Whoever is in charge of security is probably doing their job fine. You'd expect nurses to be able to access patient records, right?
No they wont have been....
The nurse probably will have been fired but as far as security goes no one will be fired.
Patient systems work on Role Based Access. As a nurse they will have had access to patients within the system regardless of admission status and generally have the ability to view patients histories, present conditions etc. Some require you to confirm you have authorised access to the record with the patient, some don't.
This isn't a security breach but data misuse someone will review whether the access level used was required but I doubt it will go much further than that!
The fact that there is a court case suggests the system is working. It has logged access to the records and this has been detected.
Contrast this will your paper medical records that are held in a filing cabinet. Anyone with a key can look at them and nobody would be the wiser.
We could require people to get authorisation every time they access data, except this would reduce the amount of work people do and require even more forms and another database to hold the information about those forms.
Why does anyone need to be fired?
If we were all at risk of being fired for the slightest mistake then no one would ever have time or opportunity to learn from our mistakes and we'd have a suffocating culture of fear in the workplace. That sounds worse to me.
my name is sean grinyer and i am the said individual
no they wernt fired, even though i told the chief executive mr paul roberts of the plymouth nhs trust that the individual also accessed over peoples information with a date also, but it was ignored, the security it manager mr tony daniels at the time was involved in the trust conspiracy to cover up the offences, ive had 2 judges turn a blind eye to the said trusts lies to the police and the ico, court etc i am now waiting for permission to appeal on the 26th jan 2012 at exeter court. was it worth it, i am someone who will not be bullied into submission by the government and all its resources, they have destroyed my life/health through all their lies coersion and corruption that i can prove through documentation. i have been alone throughout and will find justice in the court of appeal, or ultimately the european court
Thanks for giving us that information.
Good luck at the appeal!
Doesn't sound like a mistake.
The intention was to do something known to be wrong.
I'm not saying the penalty has to be dismissal (but it could be), though it should be more severe than for an innocent mistake (e.g. accessing someone with a similar name).
Much easier to make the little people pay than the big companies, isn't it ?
Hope that was a bit of Irony...
...as Plymouth NHS trust are hardly little people.
If by 'little people' you mean the person who committed the crime then yes.
@ It Wasn't Me
Wrote :- "Much easier to make the little people pay than the big companies, isn't it ?"
No, it certainly isn't. For one thing the "Little people" do not have much money.
Eg: I was just reading about someone sueing Railtrack over a train crash that happened a few years ago. Crash was caused by faulty track maintenance, and they did identify the track worker.
However, those sueing say "We don't blame the track worker, we blame Railtrack". Why is that do you think? Could it be that they would not get much money from a track worker? Much easier to get money from the big company than the little people.
It also helps to explain why what were once big companies (like the CEGB, which I worked for) have fragmented into a rats nest of management companies, micro-companies sub-companies and contractors. I saw it happen. It makes it much harder to sue them and if one of the component companies goes under because of litigation or debts they can be replaced, or they spring up under another name a week or two later.
The CEGB would never have got away with that: perhaps THAT is what Mrs T meant by "small, nimble companies". Crikey, I'm not even sure of what company I work for anymore even though I have the same payroll number and do the same work as I always did - it's a standing monday morning joke here: "Who are we working for this week?". So I would not even know who to sue if I wanted to, it would take a team of lawyers just to find out.
Not exactly rare though, is it ?
So you just know that when they say "anonymised" data they don't really mean it.
Fairly rare I think
Looking at the linked article it seems that in all cases where the individuals were detected they were disciplined; I'd bet that in the "good old days" this sort of thing still happened but because paper can't tell you that someone has read it, it could never be detected.
If you give people access to data as part of their job, then there exists the possibility that some will be tempted to misuse that access; these individuals will, if detected, be severely dealt with as a warning to their colleagues.
Detecting misuse can be very challenging, but if it is reported (as in the case of the article) then it will be taken seriously and the log files will nail the culprit.
Happens all the time...
...I used to work in a major bank call centre for credit cards about 8 years ago. Just about >everyone< I knew looked to see if any 'slebs had accounts with the bank, and if so what they owed and what they were buying. They also looked at friends and family accounts as well. We all knew it was forbidden, but nobody got caught, even though an electronic audit trail existed.
I was one of the few who didn't have a look, but got my arse kicked for erroneously revealing info I shouldn't have done to an account holders mother. Perhaps some may think I deserve to be broken on the wheel for this transgression, but it is easy to do.
What this woman did was fairly unimportant in the grand scheme of things, really.
not important(anonymous coward)
it was important to me! that the woman in question laughed and told everyone about my mental health file, and then 8 months later she turned up at my dads address who had just returned home from having a massive stroke of which she had no knowledge of, she then proceeded in shouting obscenitys towards his home. after this the individual told lies to my young children who were with their mother saying that i had never wanted to have them, of which i was stopped in seeing them. the individual was a health care assistant (not a nurse) and stated everyone does it at the hospital. this is why i made my complaint to the security it manager, then the conspiracy to conceal the offences started by the trust, and the subsequent lies to the police, i.c.o, solicitors, court etc, all of which i can prove through documentation. hence both the judges behaviour in my claim, and hence why im appealing for justice
It just goes to prove...
...Just because you have a pre-existing paranoid personality disorder, doesn't mean that someone isn't out to get you !
Who has to pay the £12,500?
the title of the case gives a clue
Sean Robert Grinyer v Plymouth Hospital NHS Trust
Welcome to the information age
I think this day and age, sadly, you have to assume that anything recorded digitally is not only permanent but somewhere, someone unauthorised at some point has already looked at your private data.
The impact, of course, ranges from a relatively harmless giggle to full-blown financial, reputation and health repercussions.
It's not the ones who are caught you need to worry about, it's the ones that haven't been caught yet and the questions that arise are:
(a) How are we to pre-emptively act to limit any damage, and
(b) what action do we take once there's been a breach.
These questions are for both the individual and government. I don't really have a full answer for either of them yet and I'm pretty sure the government having got a fscking clue, that this is a serious problem and it's only going to get worse.
"£4,800 for loss of earnings on the premise"
I thought I saw:
"..£4,800 for loss of earnings on the premises.." since the graphics card in my work computer is so bad the fonts look terrible. I was like, "Whoaa.. Why did HE have earrings worth £4,800..."
Limitng staff access to medical records...
...is a no-win area. It's possible to lock down records so nurse X can only read the records of patient Y - and then patient Y is transferred to another ward where nurse Z can't read his (medical) records until (patient status) record is updated. Or nurse X phones in sick and nurse W covers for her. Or (this is the NHS, remember) both of the above, plus sixteen other random confusing events all occur at once. So the usual compromise is: the records are open and readable by appropriate grades of staff (eg nurses, doctors, clerical, but not management, catering, security), but access is logged: read without just cause, and you'll be disciplined. Some data is "siloed"; GU medicine clinic records are kept apart from general records, but within the "silo", same access rules apply.
Just because you are paranoid
doesnt mean that your girlfriend isnt out to get you......