Former health administrator fined for illegally accessing data 51 times

Data protection has been pivotal in the U.K. since the introduction of the Data Protection Act (DPA) in 1998. Those who choose to go against this can be punished by the Information Commissioner’s Office (ICO) and fined accordingly.

This was exactly what happened to a former employee of a GP surgery who was found to be illegally accessed medical records.


Ms Sally Anne Day who worked as an administrator at Crickhowell Group Practice, which is part of the Powys Health Trust Board, repeatedly and unlawfully accessed the medical records of 2 patients between August 2015 and July 2016.

Ms Day accessed one of the patient’s records 51 times and accessed the other patient’s records 8 times.

She accessed this data without the consent of the patients.

Medical records are evidently highly sensitive data and contain a trove of medical history – it’s understandably something that someone would want to keep confidential. When Ms Day illegally accessed the patient’s records, it has reportedly caused the victims a significant amount of distress.

Breach of trust

Ms Day resigned from her job, and the ICO were informed of the data breach. The case was originally listed at Cwmbran Magistrates Court but was transferred to the crown court as there was a serious breach of trust involved, and the amount of times Ms Day had accessed the data illegally was shocking.

Prosecution and fine

Ms Day was prosecuted and sentenced at Newport Crown Court, pleading guilty to 2 offences under Section 55 of the DPA; namely the unlawful obtaining of personal data. The former administrator was fined £400 in total and was ordered to pay £350 costs and a £40 victim surcharge.

Importance of punishing perpetrators

ICO Enforcement Group Manager, Michael Shaw, reiterated the importance of punishing those who go against the DPA:

“Once again we see people getting into serious trouble by ignoring patient confidentiality and their data protection responsibilities. Those who work with sensitive personal information need to be aware that if they access that information without good reason, they could well find themselves in court and end up with a criminal conviction.”

It’s so easy to access someone’s medical records when you work in a GP surgery, hospital or pharmacy – but doing so without valid reason or consent is illegal. Let this be a stern word of warning to those who choose to violate the DPA and therefore cause undue distress to individuals.

IMPORTANT: advice on this page is intended to be up-to-date for the 'first published date'.

Request a Callback from our team!

Fill out our quick call back form below and we’ll contact you when you’re ready to talk to us.
All fields marked * are required.

Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy.
You have the right to object to the processing of your personal data.