Wrong turn on data protection may lead to rights issue
Organisations could find themselves falling foul of human rights laws if they fail to handle sensitive staff information properly, a leading law firm has warned. Public sector bodies, particularly larger operations such as hospitals, run the risk of receiving substantial fines if their data protection isn’t up to scratch, say experts at Ward Hadaway.
The warning from the Newcastle-based firm follows a recent case in Finland, which is subject to the same European human rights laws as the UK.
In this case, colleagues of a nurse working at a Finnish hospital found out she was HIV positive and began making remarks about her illness in the workplace.The only way they could have known about her condition was that her medical records weren’t kept sufficiently securely by her employer, the hospital, which was also treating her HIV.
The nurse took the state-run hospital to court, claiming that it had breached her human rights. The Finnish court ruled that the hospital’s records system was insufficiently robust to prevent the nurse’s personal details, and she was awarded a total of €13,711.80 (£11,043) in damages and a further €20,000 (£16,107) costs.
Judy Baker, partner and data protection expert at Ward Hadaway, said: “This case is significant because it basically says organisations subject to human rights legislation have a positive duty to protect personal information.
“This means it is not just a matter of not interfering with individuals’ privacy rights; organisations have to take positive steps to ensure these rights are upheld.
“All public sector bodies in the UK are subject to human rights legislation and, while the decision was made under Finnish law, the ruling comes from the same European Convention so it’s likely the same decision would be reached in a UK court.
“In the wake of recent high-profile data protection failures by organisations including HM Revenue & Customs and the Prison Service, this is another reason why it is so important for organisations to get their act together when it comes to the handling of sensitive personal information.”