Curiosity can be a great thing. However, it can get the better of some people.

This can enter into dangerous territory.

Staff in GP surgeries may think they are not doing anything that bad when they snoop on the records of family, friends, neighbours or acquaintances, but it can bring about potentially serious consequences.

Just last year, the Information Commissioner’s Office (ICO) reported how a former nurse at Southport and Ormskirk Hospital NHS had inappropriately accessed patients’ medical records without permission. She admitted unlawfully obtaining and disclosing personal data and was fined and ordered to pay costs and a victim surcharge.

For GP surgeries, this type of behaviour damages the relationship of trust and confidentiality between patients and the NHS. It needs to be avoided at all costs and dealt with quickly when it does happen.

How can employers prevent employees prying on patient records?

From a HR and Employment Law perspective, the first thing to do is make sure employees know about your data protection policy. Make sure they know their responsibilities and the consequences if they fall short.

In your policy, you should reserve the right to:

  • Look at the contents of all incoming and outgoing work emails
  • Browse the history of the web pages using work devices
  • Have a call recording system in place (for example, for training, quality or service delivery purposes).

This may put employees off accessing and using data and also help you investigate matters if you suspect a breach.

Employees are under an implied duty of fidelity. This means that if an employee does use or disclose confidential information without your permission, it could be considered to be gross misconduct and pave the way for summary dismissal. As always, look to an Employment Law company to make sure you are on the right side of the law when dismissing.

If you notice someone covertly scanning or photocopying data or copying files onto an external drive, you can apply for an injunction to secure and recover the data that has been stolen.

Additionally, you can also have a policy outlining rules about accessing patient records, highlighting that the employee cannot access the records of relatives. You may also decide to include in the policy that employees should declare if relatives are patients so you can be alert to any unusual activity on those records.

What can employers do if there has been a breach?

The EU General Data Protection Regulations came into force on 25th May 2018, bringing about key changes to data protection rules. In cases of data breaches, for example unauthorised access to personal data which is likely to result in a risk to the rights and freedoms of individuals, businesses must notify the ICO without undue delay and where possible no later than 72 hours after the breach.

The ICO guidance states that that “All health service organisations in England must now use the Data Security and Protection Incident Reporting tool (the incident reporting tool for the NHS in England). This will report SIRIs (Serious Incident Requiring Investigation) to the NHS Digital, Department of Health, ICO and other regulators.”

3 things to remember:

Find what you were looking for?

Our FREE resources library contains over 200 searchable blogs, guides and templates focused around Employment Law and Health & Safety issues that employers face on a day-to-day basis.

Get your FREE download

We combine the service quality of a law firm with the certainty of fixed-fee services to provide expert, solutions-focused Employment LawHR and Health & Safety support tailored to employers.

Call us on 0345 226 8393.

Get your FREE download

We combine the service quality of a law firm with the certainty of fixed-fee services to provide expert, solutions-focused Employment LawHR and Health & Safety support tailored to employers.

Call us on 0345 226 8393.

Get your FREE consultation

Submit your details and one of our team will be in touch.

Activate your free trial

The rota module has been built on our brand new technology platform, so you’ll need to create a new account that you can then integrate with your existing Youmanage/PeopleNest account.

Follow these steps to activate your trial

  1. Log in to your existing Youmanage/PeopleNest account
  2. Navigate to admin mode
  3. In the menu, navigate to Integrations > Marketplace
  4. On the ‘PeopleNest – Rota Module’ line, click ‘configure’
  5. Create your new account – because we’ve built the new Rota Module on our brand new PeopleNest platform, you’ll need to create an account. Make sure you use the same email address as your admin account in Youmanage (can use Microsoft/Google authentication)
  6. Sign-in using your new login details
  7. Read the message about the integration and click continue if you are happy to proceed
  8. It takes a few minutes for your employees to start pulling through, then you’re ready to go!

Book a consultation

One of our team will be in touch as soon as possible. If we miss you, we’ll send over a Calendly invite so you can choose a more convenient time and date for a callback. 

Get your FREE consultation

Submit your details and one of our team will be in touch.

Search...

Get your FREE consultation

Submit your details and one of our team will be in touch.

Get your FREE consultation

Submit your details and one of our team will be in touch.

Before you go…

We can help with that HR problem or health and safety query. If you’re an employer, leave your details below and our team will call you back.

Register your interest

Submit your details and one of our team will be in touch.

Get your FREE consultation

Submit your details and one of our team will be in touch.

Download your FREE guide

Submit your details below.

Request a callback

Submit your details and one of our team will be in touch.

Need some help?

Call our team now on:

0345 226 8393

Request a Callback

Submit your details and one of our team will be in touch.

Request a Callback
Hi, how can we help?
Click the button below to chat to an expert.