UK Court Issues Warning for those with Access to Personal Data at Work
On August 3, 2022 the UK Coventry Magistrates’ Court fined a former health adviser £3,000 for unlawfully accessing personal data at work.
This case is an example of an individual being held liable under UK data protection law and has several key takeaways for people handling personal data at work, such as production teams.
The defendant worked at an NHS Foundation trust when he unlawfully accessed the medical records of 14 patients, all of whom he knew personally.
According to a report by the Information Commissioner’s Office (ICO), the defendant had no valid business reason for accessing the records and did so without the trust’s knowledge.
The defendant pleaded guilty to unlawfully obtaining personal data, in breach of Section 170 of the Data Protection Act 2018. (Alongside the UK GDPR, the Data Protection Act sets out the UK’s data protection framework.)
The court ordered the defendant to pay compensation of £250 to 12 patients (£3,000 in total).
Key takeaways for production teams
This case is an example of an individual being held liable for a data breach under UK data protection law. As production teams have access to significant amounts of personal data – such as contact details, right to work documents, and payroll information – this decision has several key takeaways.
For production teams, remember that even if your job gives you access to personal data, that doesn’t give you the right to look at it. Regardless of whether you have physical/remote access to personal data, it’s essential that you don’t access it unless you have a valid business reason for doing so (e.g., to perform your role’s duty).
For production companies and studios, it's essential to have appropriate data protection policies and trainings in place, which are periodically updated and promoted. It’s also important to have a clear audit trail of who’s read and agreed to your policies, in the event of a breach.
As an added layer of security, access to personal data should be restricted to those who need it – and only for as long as they need it (the EP Production Portal makes this simple, with handy access permissions which help you to control who can see your data).
For more information on how to secure your production data, check out our guide to information security.