Sep 16, 2020 | Articles, Cyber Security, GDPR

GP surgery secretary fined

Howard Freeman

Howard Freeman

A former GP surgery secretary has been fined for reading medical records of 231 patients in two years, the ICO reported in 2018.

A trip back in time to November of 2018 for this blog. We shouldn’t forget that whilst this story may have a few cobwebs on it, this could be happening in your business, today.

A former trainee secretary at a GP surgery has been fined. She admitted unlawfully reading the records of 231 patients in two years.

The Fakenham Medical Practice

Employed at the Fakenham Medical Practice in Norfolk in August 2015, Hannah Pepper’s duties included lawfully accessing medical records. This was to assist doctors, solicitors and insurance companies.

However, despite being trained in the legal and ethical requirements for patient confidentiality, the surgery discovered in October 2017 that she had been reading a work colleague’s patient file without consent.


A subsequent investigation by the surgery found that Pepper had illegally accessed 231 patient records with no valid reason. These included colleagues and their families, her own relatives, friends and acquaintances and also members of the public.

Pepper accepted she had no justifiable reason for accessing the records. In a subsequent interview with the Information Commissioner’s Office (ICO) suggested that at times, she struggled with the monotony of her role.

Pepper, 23, of Ashside, Syderstone, Norfolk, admitted four charges of unlawfully accessing personal data. This was in breach of s55 of the Data Protection Act 1998 when she appeared at Kings Lynn Magistrates’ Court.

As a result, she was fined £350 and was also ordered to pay costs of £643.75 and a victim surcharge of £35.

Mike Shaw, the ICO’s Criminal Investigation Group Manager, said: 

“People whose job allows them access to confidential and often sensitive information have been placed in a position of trust. With that trust comes added responsibility.”

“Data protection law exists for a reason and curiosity or boredom is no excuse for failing to respect people’s legal right to privacy. Just because you can do something, that doesn’t mean you should.”

Lessons learnt

For us, the worst aspect of this case is the breach of trust. The loss of her job and the fines are one aspect, but also the loss of friends and possible shunning by her family too. Who is the victim? Well, everyone involved is to give you a simple answer.

The surgery should have carried out regular checks and reinforcement training. An open culture would have stopped this sooner. Those who had their records accessed may not have come to any harm, we don’t really know. They have every right to be angry of course. Pepper herself has suffered and better management and variation in her job role may have prevented this.

Don’t assume this isn’t happening in your business. Pepper was punished and rightly so. The surgery must accept some of the blame too and then the patients and the potential legal action to come.

Have you audited your business recently to understand what data is being accessed and by whom? Are access rights for your staff appropriate toothier roles. Can they see too much?

So, if you need help with your audit then please contact us on 03333 22 1011 and let’s talk it through. Alternatively, you can contact us here.


Can we help?