NHS employee fined for unlawfully accessing personal records

An employee of an NHS Foundation Trust in the West Midlands has been fined for unlawfully accessing the personal records of 14 individuals.

Faye Caughey, 32, of Ringswood Road, Solihull was employed at the Heart of England NHS Foundation Trust (HEFT) when she accessed the records between February 2017 and August 2017.

Birmingham Magistrates’ Court heard that as part of her job, Ms Caughey was authorised to access records of adults on two separate systems – HEFT’s iCare and CareFirst from Solihull Metropolitan Borough Council.

An internal investigation found that the defendant viewed personal data of seven family members on iCare and seven children known to her on CareFirst.

There was no business need for her to do this and so, she broke data protection law, the Information Commissioner’s Office, which brought the prosecution, said.

Ms Caughey pleaded guilty to breaching s55 and s60 of the Data Protection Act 1998 (DPA1998) when she appeared at Birmingham Magistrates' Court on 15 March 2019. She was fined £1,000, with a £50 victim surcharge, and was ordered to pay £590 towards prosecution costs.

In a separate case, Birmingham Magistrates’ Court heard that Jayana Morgan Davis, 32, of Wood Green Road, Birmingham forwarded several work emails containing personal data of customers and other employees to her personal email account in August 2017, weeks before resigning from her role at V12 Sports and Classics Ltd.

At Birmingham Magistrates' Court on 15 March 2019, Ms Morgan Davis admitted to three offences of unlawfully obtaining personal data in breach of s55 and s60 of the DPA1998. She was fined £200, with a £30 victim surcharge, and was ordered to pay £590 towards prosecution costs.

Mike Shaw, head of the criminal investigations team at the ICO, said: “People expect that their personal information will be treated with respect and privacy. Unfortunately, there are those who abuse their position of trust and the ICO will take action against them for breaking data protection laws.”