Former GP surgery administrator fined £790 for unlawfully accessing patient records

NHS admin Sally Anne Day given paltry fine for causing distress to two patients

A former NHS administrator who had been working in a GP surgery has been fined for unlawfully accessing patient records.

Sally Anne Day, who comes from Abergavenny in Wales, pleaded guilty to two offences under section 55 of the Data Protection Act when appearing for sentencing at Newport Crown Court.

Day had unlawfully accessed the medical records of two patients between August 2015 and July 2016, causing the patients distress, the Information Commissioner's Office (ICO) said.

In that period, she had accessed the first patient's records a staggering 51 times, and the second patient's records on a further eight occasions.

The case had been brought to the ICO and was originally listed at Cwmbran Magistrates Court but was transferred to the crown court, due to the serious breach of trust involved and the number of times patients' records were accessed illegally.

Day subsequently resigned from her job as an administrator for Powys Trust Health Board (PTHB) where she worked in a GP surgery, and was fined £790 in total; £200 for each offence, as well as £350 in costs and a £40 victim surcharge.

ICO enforcement group manager Michael Shaw said this was another case of someone getting in serious trouble by ignorning patient confidentiality and their data protection responsibilities.

"Those who work with sensitive personal information need to be aware that if they access that information without good reason, they could well find themselves in court and end up with a criminal conviction," he said.

Last year the ICO fined a GP practice £40,000 for revealing confidential details about a woman and her family to her estranged ex-partner. Regal Chambers, of Hitchin, Hertfordshire, gave out the information despite the woman warning staff that they should take particular care to protect her details.

When her ex-partner made a request for the medical records of the former couple's son, staff gave him 62 pages worth of information that included the woman's contact details, her parents details and the details of an older child the man was not related to. This was put down to the GP practice having insufficient systems in place to ensure unauthorised personal data was not shared with those who weren not entitled to see it - a breach of the Data Protection Act.