The ICO crack down on the NHS and employee curiosity

Adrian McGarryChief Executive Officer
Protection is at the heart of my experience
Edited by: Andrew Leniart
Being too curious can sometimes get you into big and costly trouble.

The Information Commissioner’s Office (ICO) have made it clear that NHS employees who are tempted to look at patient records without a valid legal reason need to understand the repercussions of such actions.

Mike Shaw, Criminal Enforcement Group Manager at the ICO said, “Employees who in many cases are very experienced and capable, are getting into serious trouble and often lose their jobs, usually over little more than personal curiosity.’

Unfortunately, Clare Lawson made that mistake.

Her curiosity cost her a £400 fine, £364.08 in costs, a victim surcharge of £40 and her job.


Clare Lawson was a staff nurse on the Rehabilitation Ward at Southport and Ormskirk Hospital since October 2011.

She is a registered nurse with over 13 years experience of providing expert nursing care in medical, community and emergency care settings.

Southport and Ormskirk Hospital NHS Trust provides health care in hospital and the community to approx 258,000 people across Southport, Formby and West Lancashire.

On the ICO website, it states during 2014-2016, Clare Lawson had committed the following data breaches:

  • Inappropriately accessed the records - including maternity and paediatric records - of five patients, 17 times
  • Accessed a further 109 records of 18 patients of which one was a child
  • Accessed blood results of a friend 44 times after they had been discharged
  • Accessed foetal scans of a patient

Ms Lawson was dismissed from her position in the hospital in September 2017 for gross misconduct. She appeared before magistrates in Bootle on the 24th September 2018 and admitted unlawfully obtaining and disclosing personal data in breach of s55 of the Data Protection Act 1998.

The case has now been referred to the Nursing and Midwifery Council.  

The ICO Director of Investigations, Steve Eckersley, said about the case, “This abuse of a position of trust has caused significant distress to a number of people. The laws on data protection are there for a reason and people have the right to know their highly sensitive personal information will be treated with appropriate privacy and respect. The ICO will continue to take action against those who abuse their position and potentially jeopardise the important relationship of trust and confidentiality between patients and the NHS.”


The NHS and data protection

The Clare Lawson case is just one of many NHS data protection cases listed on the ICO website.

  • Nicola Wren

In October 2017, Nicola Wren who was employed by Kent and Medway NHS and Social Care Partnership trust was also found guilty of accessing the records of patients known to her. She accessed the medical records 279 times in three weeks. Wren pleaded guilty to the offence under s55 of the Data Protection Act and was fined £300, ordered to pay costs of £364.08 and a £30 victim surcharge

  • Marian Waddell

In November 2017, Marian Waddell who was a former nursing auxiliary at the Royal Gwent Hospital in Newport was fined for accessing a patient and her neighbour’s medical records without a valid reason. She was fined £232, had to pay £150 in costs and a victim surcharge of £30


We are not aware of why Clare Lawson repeatedly looked at medical records of the hospital’s patients or what she did with the information.

For whatever reason she did it, the message from the ICO is clear - do not access data that you are not legally allowed to access.

You will be fined and what’s more, some people are of the opinion that the actions of people like Clare Lawson should result in a potential custodial sentence.

It’s worth noting that in these cases the charges made were under the Data Protection Act, not the GDPR due to the date that the data breaches occurred.

With the new data protection regulations carrying such heavy fines, all you curious folks out there dealing with personal data need to remember the saying ‘curiosity killed the cat!’.

This is a classic case of the type of internal information breaches that occur in organisations across the world, every day.

How do you make your staff aware of their responsibilities with other people's data?

Not only is your business at risk if one of your employees breaches information, but they are personally liable as well.  

Adrian McGarry


Related News & Events from the ICO

Adrian McGarryChief Executive Officer
Protection is at the heart of my experience

Comments (3)

Adrian McGarryChief Executive Officer


Thanks Andrew
BillDLGeneral Factotum

Although it is not detailed in your article, nor on the Information Commissioner's Office pages linked to, I assume the named people accessed patient records using computers rather than looking at hardcopy records.  That's the only real way that multiple instances of access could realistically have been logged.

I wonder whether the National Health Service (or any of the affected Health care Trusts) have actually placed any restrictions on who is permitted (and I refer to user account status here) to gain access to various areas of their IT databases in the wake of these breaches?

The main subject of your article, namely Clare Lawson, was a Staff Nurse. In such a position there would normally be a Charge Nurse (equivalent to Supervisor in other vocational disciplines) above her on that ward and also a Matron or Sister (a "Manager" nurse) covering that ward and perhaps others.  It isn't known from the available information whether any staff of those ranks would consistently be on duty at the same times as the subject, but if they were then they are the supervisory members of staff who should have access to patient records, not the standard nursing staff.  There may be some situations, however, where a Staff Nurse could have been in charge and therefore may have required legitimate access to records during a shift.  This is not to say that even a higher ranking member of nursing staff may be tempted to excessive and knowingly wrong patient record accesses, but keeping permission to those of a certain ranking and above would reduce the likelihood.  

The second subject (Nicola Wren) was an Administrator and it is possible that in such a position whe would have have required access to patient records.  There isn't much that could be done by way of restriction in such a case, but it looks as though this woman was frequently checking for updates in records relating to a friend, acquaintance, or relative over the 3 week period.

There is absolutely no reason why the third subject, Marian Waddell, should have had access to patient records held in computer databases because she was a Nursing Auxiliary.  This position is sometimes referred to by the title "Healthcare Assistant".  Often these positions are occupied by ex-nurses or midwives who returned to healthcare after long periods of absence during which their qualifications lapsed.  They are either part-qualified or unqualified "nurses".  I'm not saying they don't know what they are doing, because some know more than doctors or nurses, but their duties are restricted.  Again though, the ICO web page relating to Marian Waddell does not specify whether she accessed a computer record or a hardcopy record.  All it says is that she accessed the records of one patient.

What I am most curious about is the statement made by the Director of Investigations for the ICO:
"This abuse of a position of trust has caused significant distress to a number of people".
Obviously there would be some distress caused to fellow nursing staff who might feel betrayed and let down by a colleague's actions, but were the patients themselves informed about the unlawful accesses of their records?
Adrian McGarryChief Executive Officer


Thanks for the comments BillDL.

I agree, this must have been captured via computer security audit logging, but is not the sort of detail that was released by the ICO.

We would all hope that appropriate measures are taken for securing highly sensitive information, such as patient records, especially in large organisations such as the NHS in the UK.

Unfortunately (& I am going to link this to information security lapses, like with the Wannacry incident) it is very apparent the NHS is not a good example for information security and data governance.

Even this week we have seen the reports of how much Wannacry cost the NHS £92m.  How much would it have cost the NHS to deploy a 0-day threat system to protect against this and countless other malware attacks, let alone the human cost of this malpractice.

You really only need to prove this by looking at the UK ICO to see how many NHS trusts have been involved in action enforcements.

And is this any different for other countries?  This article covers recent Australian data breaches within the healthcare system

We see far too many organisations with very bad practices, poor security and no training for staff.

To teach basic security skills, providing training to all employees is common-sense, which is why I write about this subject, train people and organisations about this subject and sometimes can get very emotive about data protection and security.

Does this make me a bit geeky about this subject, maybe!  But there is a human cost to this.  Not only with these NHS examples but with each data breach that occurs because of negligence, malpractice and just plain incompetence, it’s unnecessary and can be stopped by raising awareness.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.