A personal injury claims company employee pleaded guilty on 1 June to offences of illegally obtaining NHS patients’ information over a four month period, the Information Commissioner’s Office has reported.
Martin Campbell, a former employee of the Bury-based personal injuries company Direct Assist, was prosecuted under the Data Protection Act 1998, s 55. Bury Magistrates’ Court fined Campbell £1,050 and ordered him to pay, £1,160 towards prosecution costs and a £15 victims’ surcharge.
Campbell is thought to have obtained personal data relating to around 29 patients who had received medical treatment at Prestwich or Moorgate Primary Care walk in centres, both based in Bury. The patients whose information was passed on had all attended the centres to receive treatment for accidents they’d been involved in. Their details were supplied by Campbell’s then girlfriend, Dawn Makin, who was working as a nurse at the centre. He then used the information to generate leads for the personal injury claims company he was working for at that time.
Campbell’s activities were uncovered when Bury Primary Care Trust received complaints from patients who had been contacted by a male asking them about their recent injuries before encouraging them to make a personal injury claim. The Trust’s investigation found that the patients’ files had been accessed by Ms Makin and that she did not have a legitimate reason for accessing them. It was at this point that the Trust reported the matter to the ICO.
The ICO’s case against Dawn Makin is not being pursued due to a prosecution no longer being in the public interest in the view of the ICO.
Information Commissioner, Christopher Graham, said:
‘Today’s prosecution should help to serve as a deterrent to those who attempt to illegally obtain and pass on people’s information. Where greed and breach of trust meet then the results, as in this case, can be tragic. The ICO will always pursue prosecutions where individuals breach both their duty of confidentiality and the Data Protection Act. Those whose responsibilities include the custodianship of sensitive personal data should take note.’