No action against doc who accessed ECS

Tags: ECS GP

15 Jan 2010

A hospital doctor accused of accessing the Emergency Care Summary records of high profile politicians, footballers and BBC journalists will not be prosecuted, Scotland’s Crown Office has decided.

Dr Andrew Jamieson, who worked at Queen Margaret Hospital in Dunfermline, was accused of contravening the Data Protection Act by misusing access to the Emergency Care Summary database.

A Crown Office spokesperson told EHI Primary Care: “After full consideration of all the facts and circumstances, including confidential medical reports, Crown Counsel decided that no proceedings should be taken against Dr Andrew Jamieson. Letters explaining the decision have now been written to all those affected.”

The ECS is uploaded from GP systems every night and holds information on demographic details, current medications, allergies and adverse reactions for 5.2m patients in Scotland.

The summary is uploaded with implied consent and available to view on a ‘consent to view’ basis by NHS 24, out of hours centres and hospital accident and emergency departments.

In 2008, NHS Fife wrote to seven BBC journalists after discovering that a doctor working for it may have accessed records, and in December 2008 Dr Jamieson was charged with contravention of the DPA.

Jackie Bird, a newsreader on Reporting Scotland, was among those who were contacted by NHS Fife.

Scotland’s Sunday Mail claimed other records accessed included those of prime minister Gordon Brown, Scottish politicians Alex Salmond and Jack McConnell and Celtic footballers.

It reported that victims were told last week that it would not be in the public interest to prosecute Dr Jamieson after considering the nature of the breaches and medical reports on the accused.

Dr Jamieson was reported as saying he looked at the files out of curiosity and did not pass on the information or use it for financial gain.

Fiona Barr

Journalists warned of possible ECS breach (08 Dec 2008) (4)

Reader's Comments

Phew, that was close

15 Jan 10 11:01

Cool....so its now ok to look out of curiousity without fear of being prosecuted.

Is this for real?

Public interest?

cbond@bournemouth.ac.uk

20 Jan 10 09:01

Surely the public have an interest in knowing that their records are secure?

To suggest that its fine to have a quick look out of idle curiosity is hardly going to reassure the public, especially the ones who thought this was likely to happen all along.

In mitigation

20 Jan 10 12:01

This article only refers to the decision not to bring a criminal prosecution under the DPA.

It does not detail any disciplinary actions taken by either this doctor's employer or the General Medical Council. One presumes some kind of sanction was / is likely to be imposed.

agreed

Matthew.Grove@northumbria-healthcare.nhs.uk

20 Jan 10 13:01

Agree with previous poster.

They may have decided not to prosecute for criminal behaviour, but the GMC will take a dim view of such a flagrant breach of patient confidentiality.

The doctor is a victim of the system!

21 Jan 10 10:01

Security is as much about human factors as about the technical. One can deduce that this doctor's training in IT security was ineffective, assuming that it was delivered at all. It failed to communicate in a way that was understood.

This is no surprise. Our research shows that most NHS policies appear to communicate in terms of how the organisation wants to protect itself legally rather than giving users guidance on how best to use the system and what is appropriate behaviour.

The technical solution to security, adopted by NPfIT, has been characterised as almost as irritating as Microsoft's frequently appearing bubbles and dialogues that communicate in meaningless terms to a person trying to get something to work.

Perhaps it is no surprise that the security system (technical and non-technical) failed to dissuade someone acting out of apparently misguided curiosity from their actions.

Victim???

21 Jan 10 10:01

A victim of the system? Rubbish! The basic principle this guy broke was 'don't peek at medical records you have no right to be peeking at.' How hard to understand is that? For someone with years of medical training?

re: Victim ???

21 Jan 10 11:01

The EHI article states:

“After full consideration of all the facts and circumstances, including confidential medical reports, Crown Counsel decided that no proceedings should be taken against Dr Andrew Jamieson. Letters explaining the decision have now been written to all those affected.”

I interpret this to imply that the confidential medical reports related to Dr Jamieson - even Drs are allowed to be ill (I hope!).

Perhaps leaping to judgement without access to the full facts might be considered premature and unwarranted.

Thank you

21 Jan 10 11:01

You make my point for me poster #6. It is not hard to understand for a person well versed in the field. This doctor, for whatever reason, was not. Put another way, is it reasonable to expect an IT security consultant to know what to prescribe for hypertension?

AFAIK no doctor has training in IT security, appropriate behaviour in regard of information systems or indeed the proper handling of written clinical records. IT professionals and others must not assume that a medical training prepares doctors for everything. Years of medical training barely have time to prepare them for being a doctor!

Most go onto the wards with little idea of how health services are organised or operate and it is only exposure to the system that teaches them. Policies and procedures are not a part of the crowded curriculum.

From the available public evidence, it would appear that this doctor was naive rather than malicious. Would any clinician have enacted this breach, had they been trained appropriately by the organisation within which they work?

Responsibilities

21 Jan 10 15:01

It's the responsibility of the employer to ensure that all employees receive appropraite training: that includes mandatory H&S, principles of DPA etc.(NEWS FLASH - Doctors are employees and are employed by an employer). If they are self-employed then the responsibility rests with them directly (welcome to the world of self-employment).

COMMMON SENSE should also feature here - just how dumbed down are we going to get?

This guy is no fool - he's a DOCTOR and he will be fully aware of the requirements of Patient Confidentiality. The fact is that he had no business examining the content of those records - and he knows it.

In this instance - I dont care what the GMC will think - The DPA is there to protect the public - and it failed to protect the public in this instance.