Hairdryer treatment for medical staff who accessed Sir Alex Ferguson's medical records

After the former Manchester United manager's medical records were accessed by staff at the Salford Royal Hospital, what are the likely GDPR and Data Protection Act consequences?

Sir Alex Ferguson, in his book Leading, advises that 'once you bid farewell to discipline, you say goodbye to success.' This message applies not only to footballers but to all professionals, and could be particularly pertinent for the medical staff currently under investigation for allegedly reviewing his medical records without reason or consent.

Sir Alex has recently recovered from an operation at Salford Royal Hospital, after the discovery of a brain haemorrhage. Following this, reports in the press emerged that a number of staff, who were not involved in Sir Alex's care, viewed his medical accounts without authorisation. A public apology has been made and the Information Commissioner's Office ("ICO") informed.

So, what are the potential consequences for the individuals involved and the hospital ("the data controller")?

Looking at the individual staff first, it is an offence under s170 of the Data Protection Act 2018 (which implemented the GDPR) to obtain personal data without the consent of the data controller. As the staff were not involved in Sir Alex's care, it is unlikely they had appropriate consent. In addition, as they were reportedly only looking to 'satisfy their own personal curiosity,' a legitimate defence appears improbable.

The ICO, which has previously warned NHS staff about unlawfully obtaining patient records, can impose fines on individuals. In September 2018, a nurse who accessed a number of records was fined £400 and dismissed by her NHS Trust employer. If the ICO decides to fine the staff involved, a similar fate may await them.

Turning to the hospital, there are significantly harsher punishments for a data controller in this scenario. Under the Data Protection Act, health data is considered a "special category" as the information is, by nature, extremely sensitive. As a result, there are stricter processes for data controllers to follow, meaning a medical record breach could result in a larger fine than for a standard data breach.

In addition, data controllers have to abide by certain data protection principles; the sixth of which is that they must process data 'in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures.' It is therefore key that data controllers, such as the Salford Royal, have sufficient systems in place to keep data safe, as they may be penalised if they do not. In order to avoid similar issues, and to assist any investigation or litigation, healthcare providers should ensure their systems are adequate to observe and manage who is viewing patient records (and why).

The maximum fine for a data controller which breaches its statutory duties is the higher of €20 million euros or 4% of global turnover. In the case of a data breach that impacts only one (albeit high profile) individual, a maximum fine is unlikely to apply. However, the magnitude of the potential fines illustrates the seriousness of the offence (and how seriously healthcare providers should be taking the issue).

There is no indication yet as to whether the ICO will fine those involved but, as Sir Alex would say, it is "squeaky bum time" for the staff and the hospital.