A former healthcare assistant at Royal Liverpool university hospital has been fined £500 and been ordered to pay £1,000 towards prosecution costs after she unlawfully accessed the medical records of five members of her ex-husband's family. Juliah Kechil accessed the records of the five individuals between July and November 2009 …
Even if you trust the government...
Even if you trust the government, and believe the "nothing to hide" arguments, this sort of thing shows why centralized data-gathering is dangerous.
Telephone numbers are hardly something you need to hide, and if one of my family members get into an accident in another part of the country, I certainly appreciate that "Ms. Nobody" at the hospital is able to look up their details.
What is needed - and what was in place here - is an audit trail, so you can fine people for doing things they weren't supposed to.
You also want to people to be able to drive above the speed limit on the highway in case of an emergency - yet still be able to fine them heavily, if they do so when no emergency was present.
Like the police?
Usually on their way to the nearest takeaway. Well it is an emergency.
Which is why systems should be put in place that audit the usage of said data and this data should be checked regularly. The individual is responsible for the misuse and is then open to prosecution under the correct laws..
Sure she could have looked them up in the book?
That still works right?
The article refers to "new telephone numbers" and "nuisance calls". It's a safe bet they changed numbers and went ex-directory after an acrimonious divorce.
...did she get the sack?
It did say
£15 victim surcharge
It's just not worth being a victim these days...
So they *can* trace who accessed your data.
And (unlike say the Police) they actually *do* so on occasion.
Here's a little suggestion for *all* govt and public service organisations.
Lets say once a month run a report that cross checks case file access versus staff *assigned* to those cases. Only print staff *not* assigned to case but who have accessed the files.
Should be a 1 page report saying "There is nothing to report"
Bet it's not.
Thumbs up as the hospital did the right thing and should be *encouraged* to do it again.
Some already do this...
There are places that already do this within the NHS, HOWEVER it's not always possible to obtain the data easily as PAS systems are often not linked up to EPR or EMR systems. Yes you can run reports out of both and then have a mechanism for cross checking the results but this is costly... There are happily many systems that will "interface" with one and other and allow you to aggregate the data to do this cheaply...
PAS - Patient Admin System - Used for booking patients in and out, bed management etc.
EPR System (also known as EMR - Electronic Medical Record etc) - Electronic Patient Record - Used for recording storing patient demographics and medical history, procedures etc
"Lets say once a month run a report that cross checks case file access versus staff *assigned* to those cases."
I was at a DefCon approx. 10 years ago, give or take, where a chap from the US DoD described how they were doing exactly that. Naturally, he didn't go into detail about the frequency with which reports were run, etc.
Still, £15 fine
She's unlikely to do that again. How about 3 months at her madge's pleasure?
Remember Sarah Keays
Before the internet a politician called Cecil Parkinson allegedly had a child with a lady called Sarah Keays. The child apparently had medical problems and the paper records came into the possesion of the Sun newspaper. An investigation was able to narrow it down to anyone who worked in the GPs surgery so no-one was prosecuted. Unfortunately I couldn't find a reliable online link to the story. Likewise, in the past this healthcare worker could almost certainly have accessed paper records without leaving an audit trail. I for one am happier with a slightly higher risk of people accessing my records because they are on computer if there is, at the same time, a much higher risk of the person doing so being caught.
". We will always push for the toughest penalties against individuals who abuse this trust."
Is it just me or is that typical ICO rhetoric....
Ultimately weightless and hollow... £15 victim surcharge... oh great, 2 packets of fags then...
Who watches the watchers?
- Nokia: Read our Maps, Samsung – we're HERE for the Gear
- Ofcom will not probe lesbian lizard snog in new Dr Who series
- Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
- Episode 9 BOFH: The current value of our IT ASSets? Minus eleventy-seven...
- Too slow with that iPhone refresh, Apple: Android is GOBBLING up US mobile market