Further Criminal Prosecution under the DPA

December 3, 2013

A former manager who oversaw the finances of a GP’s practice in Maidstone has been prosecuted by the ICO after unlawfully accessing the medical records of approximately 1,940 patients registered with the surgery.

Appearing at Maidstone Magistrates’ Court on 3 December, 37-year-old Steven Tennison pleaded guilty to charges of unlawfully obtaining personal data under the Data Protection Act 1998, s 55. He was fined a total of £996 and ordered to pay a £99 victim surcharge and £250 prosecution costs.

The offences were uncovered in October 2010 when the Practice Manager at College Practice GP surgery was asked to review Tennison’s attendance file. The review included a check of Tennison’s use of the patient records program, which showed that between 6 August 2009 and 6 October 2010 he had accessed patients’ records on 2,023 occasions.

The majority of the records viewed related to women in their 20s and 30s. One woman’s record – believed to be that of a school friend of Tennison – was accessed repeatedly along with the record of her son.

The practice confirmed that Tennison only needed to access patients’ records on three occasions during this period, when the Practice Manager was on leave and he was responsible for investigating a complaint.
ICO Head of Enforcement, Stephen Eckersley, said:

‘We may never know why Steven Tennison decided to break the law by snooping on hundreds of patients’ medical records. What we do know is that he’d received data training and knew he was breaking the law, but continued to access highly sensitive information over a 14-month period. The GPs and staff at College Practice GP surgery work hard to maintain the confidentiality of their patients’ records. The irresponsible actions of one employee have undermined their work and he is now facing the consequences of his unlawful actions.’