Employee fined for unlawfully obtaining health information

Paul Hedges, who previously worked as a Community Health Promotions Manager based at Bitterne Leisure Centre in Southampton, sent sensitive medical details relating to 2,471 patients to his personal email account after being told that he was being made redundant. He had previously been responsible for managing the Council’s GP referral service, where GPs and other health professionals would refer patients to attend fitness sessions for a range of conditions.

Mr Hedges took the information hoping to use the data for a new fitness company he was setting up. He was prosecuted under the Data Protection Act and was fined £3,000 and ordered to pay a £15 victim surcharge and £1,376 prosecution costs. The Council became aware of their former employee’s actions when they received complaints about patients being approached by Mr Hedges.

Comment

This case shows the advantage of having robust and effective data protection procedures in place, which enabled the Council to avoid liability for its employee’s actions.