back to article Pharmacist caught spying on friends' med records fined £1,000

A pharmacist who unlawfully spied on family and friends’ medical records has received a modest fine after he was convicted of data protection offences. Harkanwarjit Dhanju, 50, was convicted of unlawfully accessing the medical records of family members, work colleagues and local health professionals while working as a " …

  1. Evil Auditor Silver badge

    Need-to-know

    At least they do audits in this regard. But why did he have access to those records in the first place? One would think his access could and should have been limited to data related to the local residential care homes.

    1. Jean Le PHARMACIEN

      Re: Need-to-know

      From my knowledge of GP and pharmacy systems there do not seem to be any filters based on where you live . Access filters are based on *which areas of the record* you can look at e.g. in eMIS I could only look at the medication record but not the detailed consultation record. In order to do a medication review, this person would need full access to current and previous medicines prescibed and at least a summary consultation/medical record. It would have been quite possible to request individual records as paper copies but most nursing homes have all their residents registered with a single practice (unless the residents are temporary/rehabilitation/respite care) so the pharmacist was working within the practice premises.

      I'm suprised the guy did this - he knew he shouldn't be looking at the records (it's part of university and professional training) and cases of health care workers discovered doing this sort of thing and being sacked are quite prominently publicised to staff by health authorities.

      I would think the General Pharmaceutical Council will be very interested in his case - they are notoriously more likely ,(just as when the register was held by the Pharmaceutical Society) to suspend or remove from the register compared to the GMC and nursing bodies. Conviction of a criminal offence is almost certain removal from the register.

      1. DocJames

        Re: Need-to-know

        Conviction of a criminal offence usually means removal from the GMC too. And I think that both the GMC and GPC pale into significance compared to the "eat your young" approach that the nurses have... probably related to ability of the individual to take a stand against their professional organisation.

        Otherwise, completely agree.

  2. David Pollard

    Conspiracy?

    Is conspiracy to inspect patient records also a criminal offence?

    1. Anonymous Coward
      Anonymous Coward

      Re: Conspiracy?

      IANAL

      IIRC "conspiracy" applies to any offence - and it could carry a higher sentence than the conspired offence itself. Presumably an automatic Crown Court trial even if the conspired offence was a Magistrate Court one. In the past Police "fishing" expeditions seemed to use an arrest for "conspiracy" - when they had no other evidence to justify a search of someone vaguely connected to a suspect.

    2. Doctor Syntax Silver badge

      Re: Conspiracy?

      From the report it looks as if ye was doing this off his own bat. So no conspiracy. It takes two to conspire.

      1. Anonymous Coward
        Anonymous Coward

        Re: Conspiracy?

        "From the report it looks as if ye was doing this off his own bat. So no conspiracy. It takes two to conspire."

        What if he had a split personality? Obviously the fine should then be reduced in proportion to the number of personalities that made him do it, and the total that he has.

  3. Chewi
    WTF?

    And only £500 for 1000 Orange records?

    So how come this guy was fined £1000 for spying on a handful of people while the guy who recently spied on 1000 Orange customer records only got fined £500? Talk about inconsistent.

    1. frank ly

      Re: And only £500 for 1000 Orange records?

      It's about breach of trust by a registered professional and the sensitivity of the information being 'misused'.

  4. NotWorkAdmin

    We can breathe easy then

    It's clearly unacceptable for an individual to gain access to our medical records so good job he was prosecuted. The proper procedure is to sell them to private multinational corporations.

    1. Trigonoceps occipitalis

      Re: We can breathe easy then

      They will, of course, be really, really safe once the NHS records are digitised. This problem will go away as security systems are implemented by the NHS and by the carefully selected (show us the money) partners they share with.

      1. Skoorb

        Re: We can breathe easy then

        Believe it or not digitization of records has actually helped auditability. When I worked in a hospital, I could go to the records library and pull any record at any time; all I needed to do was trace it out somewhere. With digital records every time someone looks at a record, an audit trail is recorded. Not just "where the paper record should physically be".

        It can be quite hard sometimes to avoid seeing records for someone you know. Chances are you know someone who is diabetic, so if you work in the local diabetes service at some point you are going to be looking at a letter and think "hang about, I recognise this guy". Likewise, if you work in a hospital and are referred in, if you know anyone in the appointments team they are going to be handling your referral. There is not much you can do about this type of "correct" access; locking records down is only done exceptionally (the fact that someone is diabetic is relevant if they see an eye surgeon about a cataract for example). So, everyone from the clerk upwards gets training to act in a professional manner, and you make a silent audit trail of every access and change so that if someone does act incorrectly, you can discipline them for it after the fact; as well as a fine you are almost certainly going to lose your job in cases like this, and if you are a professional, possibly your licence to practice.

        1. chris 17 Silver badge

          Re: We can breathe easy then

          reactively addressing the issue is not sufficient enough. They should have systems in place to prevent those that should not be seeing those records from accessing them. If i haver a reason for checking a patients record, i should not be able to check some other patients record too. Perhaps some authorised person needs to grant specific permission to the viewer to view that specific record. That should stop opportunist viewing of unrelated records. Yes i appreciate it would cost more and take longer, but it would add trust into the system and perhaps people wouldn't be so against having their records digitised knowing there where robust checks and balances in place.

  5. Doctor Syntax Silver badge

    Wrong court?

    'The offence is punishable by way of “fine only” - up to £5,000 in a magistrates' court or an unlimited fine in Crown court. The ICO continues to call for more effective deterrent sentences, including the threat of prison in the most serious cases, to deter the unlawful use of personal information.'

    What's the point of calling for more effective sentences & then failing to make use of the existing sentencing regime by not taking this to the Crown Court?

    1. Anonymous Coward
      Anonymous Coward

      Re: Wrong court?

      also, the records for how many patients? The surcharge should be per affected individual, if the ICO is to have any teeth, with the money going to the individuals, and any associated costs added to the fine.

  6. John Smith 19 Gold badge
    Unhappy

    It's a start

    But they have to go much higher.

    1. Anonymous Coward
      Anonymous Coward

      Re: It's a start

      "But they have to go much higher."

      Why? He'll probably be fired, he'll probably lose his professional registration, and even if he doesn't he'll struggle to get another job in the same field. The fine is symbolic, but chances are he'll lose a lot more than £1,000.

      Assuming you work as an IT professional with some experience and training, imagine how much you'd lose if you did something wrong and overstepped the mark, and were banned from further work in IT? What would you do as a suddenly unskilled worker, and how much would your new job pay?

      I'd guess we're talking about somebody on a (guessing) £60k salary on a full time basis, maybe more. What can he do now and what will he earn? Some form of non-NHS administration, paying perhaps £15k if he's lucky. He might build a new career in some new field, but I'd guess that his loss from this conviction must approach £250k over the next few years, unless a family member or friend finds him some equally paid director type of job.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like