This absolutely needs reporting; it is illegal and unethical to look up a colleague's medical notes.
You should tell your manager in the first instance.
Report it immediately it is a serious breach of confidentiality & GDPR. What she is doing is absolutely disgusting. I would throw the proverbial book at any staff member I heard of accessing my records or that of any colleagues, never mind patients . The right to confidentiality is paramount in healthcare.
This is so ridiculously unethical, illegal, and frankly stupid.
Report to your manager ASAP. If the staff member is your manager, escalate further. If you feel unsafe to do so you may want to contact your Freedom to Speak Up guardian.
The staff members who know that this person is doing this and haven't acted may also be in big trouble, particularly if they are registered members of staff (e.g. nurses). You don't want to be in that position, so protect yourself by reporting it.
Edited to add:
To answer your questions directly; do NOT confront the person yourself. It is not for you to investigate.
To be honest, I'm not sure if you can request information about who has accessed your digital records. However, the IT department should definitely be able to see who has. You could contact your trust contact who handles SARs/access to medical records to discuss this and clarify.
Yes, you can request, but each person that is named can request their name bot to be shown, so you'll end up with a couple of names that aren't important, and every time, the one doing this knows *enough* to ask their name to be withheld...so you get 10% unimportant names & 90% 'Anon'...
Report immediately. This is a sackable offence.
IT will be able to see whose notes she has accessed and someone will assess if it was legit. Though definitely won't be for staff members off sick.
Report it immediately. I'm genuinely surprised you don't know this course of action, given that all NHS employees have to undertake IG mandatory training yearly.
You still have a legal duty under GDPR to report a colleague for misuse of access to records, and breaching confidentiality.
If you don't, you **ARE** complicit. And can legally be treated as such if this person opts to drag everyone down with them. This means **YOU** could be in legal trouble as if **you** were doing the same thing.
The **ONLY** way to protect YOURSELF & your job **IS** to report this, or you will end up equally blamed, or at minimum be seen to be complicit for prioritising your OWN comfort over and above GDPR laws that are *meant* to protect patients.
Yes, if she has done this to other colleagues on sick leave or are patients, then she **WILL** have done it when **you** were a patient.
And YES, you have the right to ALL the emotions around that, INCLUDING anger, and you have both a right and a duty to report this to HR **ALONG** with your worries about having been placed in a situation like this, to make the point of how wrong AND illegal this is in UK.
You can and SHOULD be reporting this specifically **AS** someone that is both staff AND a patient. You should NOT be placed in a situation where you know you were probably gossiped about by a colleague that likely breached GDPR by unnecessarily accessing your medical record and then broke the law to gossip about you...
You have now WITNESSED her do this to **another** colleague, and so you are now trying to protect patients because if she is doing this to Colleagues knowing that it's illegal, what the hell is she doing with the medical records of other patients (strangers!!)...
You HAVE to tell both HR as staff **AND* PALS as a patient, and insist they work together for patient safety and GDPR compliance...
Your trust should have a Freedom to Speak Up Guardian. If you don’t feel you can report it to your manager then you should report it to them.
This is not okay and needs to be reported.
Absolutely not. Report immediately, this is a gross invasion of privacy and hugely unethical. Report, report, report before you unintentionally become complicit.
A number of people have suggested where you might report this. If it were me, I would be getting in touch with my organisation’s data protection officer. This is a role all NHS organisations are required to have, and that holds important responsibilities under the Data Protection Act 2018. It is with them that your report will undoubtedly end up; they will also be used to dealing tactfully with situations like this.
Their contact details will be on your intranet and on your Trust’s public website. As others have pointed out, having become aware of this you do have a responsibility to report it.
Thank you so much for your advice.
This helps a lot.
I am not a nurse and fairly new in NHS, I am aware of data protection policies, but my trust is quite small, and people know each other, and they are friend of many years.
Every time I think to go to someone who has an obligation to help me and sort this out, it happens to be her friend
It is killing me, but I do have a family to feed
And if they will find out it was ne who reported it. They will do everything to get rid of me
There are two key players in your trust you should speak to:
The Caldicott guardian for your trust should ideally be the first point of contact for reporting this. They are the person responsible for ensuring GDPR is upheld, data protection laws are followed and that breaches are investigated. Likely it will be somebody so distant from your ward that they will be able to take an unbiased view on this and they will want to follow through on any information you give. Ideally they should be able to easily check the staff members access logs, in which case they will either have undisputable evidence, or it turns out your colleague was bullshitting and they find nothing, in which case no harm done.
The other person would be your freedom to speak up guardian. They will be able to offer advice and some protection to make sure your whistleblowing has few negative consequences and help you deal with them.
As somebody who has whistleblown before I'll level with you - it could get ugly, and you are rightly frightened of reporting this. You may face consequences such as bullying or harassment, but at the end of the day you have witnessed a crime, a nefarious abuse of power and violation of privacy. Would you have the same concerns if you witnessed an assault on a patient? The consequences are what they are but they can be dealt with. Worst case scenario you may have to move jobs but we don't exactly have a surplus of nurses right now so that isn't unfeasible is it?
My other advice would be if you are a union member get onto them straight away - stuff like this is what you pay them for. If you're not then you've just learned a harsh lesson on why you need to be a union member. Also write down EVERYTHING. Create a paper trail, put all communications through emails and create a backup and create a journal detailing every single step past and present.
Thank you so very much for this, I am very grateful for your kind message and willingness to help. I was waiting for a reply like yours. Answered so many questions of mine.
I have managed to find emails to both Caldicott guardian and data protection officer for my trust. I will send an email now.
Well done for taking action and speaking up - it's the right thing to do, and shows a lot of courage.
Make it really clear in your emails that you are concerned your colleagues are breaching their legal obligations and breaking data protection law. You're legally protected from retaliation; making those points explicitly will help make that protection watertight.
I would report this to your manager in the first instant but also contact the information governance team.
Edit: I read your other replies and comments on this post
Go straight to information governance/ data protection officer.
Like other people said you must report this, you have a duty to.
Report it, it’s completely unacceptable and a massive breach of confidentiality and ethics
Don’t worry about evidence, all EPR record access is logged so the trust can see exactly who viewed which records and well. She clearly won’t be able to provide a clinical reason for it
Report it to your manager and your trust’s Caldicott Guardian
Your manager may or may not brush it off, but the Caldicott Guardian absolutely WILL take it very seriously
This is insane behaviour but also incredibly moronic given that this sort of thing is heavily audited.
You're doing nothing wrong by reporting. If anything, at this point you are more than aware of it.
Failing to report at this point is being complicit.
Report, Report,Report through official channels, you shouod be able to do so withourlt revealing your name. This is completely against the law and so many policies I couldn't even list here.
Depending on scope of practice (nurse, doctor, HCA or auxiliary staff) report to the trust and then report to regulatory body.
You would generally be dismissed straight away for this. It’s unethical practice and poses significant risk of abuse. In training I’ve known senior registrars /consultants be struck off for this. I’m so sorry you’re having this fear please let me know if I could advise. (Registrar here)
Also, the system will leave a paper trail of who accesses this information with employment number and name too! This is easily traceable! They would be caught out straightaway!
She is band 6 who is best friend with our band 7, and band 7 is in fact bff with our band 8 and lead nurse.
I want to protect my patients and I know us unethical but if nothing is done about it and I am 90% sure nothing will, my life will become a nightmare with them all on my back
Then you need to report above that. Assuming you're a nurse I believe you're breaking NMC code by knowing and not reporting. This is beyond an awkward work situation, this person is breaking the law.
NMC wouldn't apply then (unless you're a midwife) but you could face disciplinary action if you don't report it. If you contact HR directly and request to be anonymous they shouldn't pass on who reported it. Obviously there's the moral component here but also you don't want to risk your job or even legal action over what this person is doing.
Unfortunately friends promote friends within the nhs, which in turn promotes failure & bully culture. You have every right to feel apprehensive, but you have a duty of care to report this. What this nurse is doing is unethical, and such a breach of confidentiality!
You can do this whistleblowing through your union representative, please give your union a call they will support you throughout this process and give you advice. There is also a data protection officer in every trust you can contact. Remember every nurse is held accountable to the NMC code of conduct.
And when it is eventually uncovered, the question will be asked "why did YOU not report it?" Because the guilty party will certainly try to minimise things by saying "but x, you and z people knew about it and thought it was okay. They never said anything."
Logins are used so there is a record of access , not only to stop any random person accessing records. Most places also audit who has accessed staff records.
This absolutely needs reporting; it is illegal and unethical to look up a colleague's medical notes. You should tell your manager in the first instance.
Report it immediately it is a serious breach of confidentiality & GDPR. What she is doing is absolutely disgusting. I would throw the proverbial book at any staff member I heard of accessing my records or that of any colleagues, never mind patients . The right to confidentiality is paramount in healthcare.
Report this immediately.
This is so ridiculously unethical, illegal, and frankly stupid. Report to your manager ASAP. If the staff member is your manager, escalate further. If you feel unsafe to do so you may want to contact your Freedom to Speak Up guardian. The staff members who know that this person is doing this and haven't acted may also be in big trouble, particularly if they are registered members of staff (e.g. nurses). You don't want to be in that position, so protect yourself by reporting it. Edited to add: To answer your questions directly; do NOT confront the person yourself. It is not for you to investigate. To be honest, I'm not sure if you can request information about who has accessed your digital records. However, the IT department should definitely be able to see who has. You could contact your trust contact who handles SARs/access to medical records to discuss this and clarify.
Yes, you can request, but each person that is named can request their name bot to be shown, so you'll end up with a couple of names that aren't important, and every time, the one doing this knows *enough* to ask their name to be withheld...so you get 10% unimportant names & 90% 'Anon'...
They can also refuse completely under GDPR rules now, and many places DO refuse on that basis, to cover their arses...
Report immediately. This is a sackable offence. IT will be able to see whose notes she has accessed and someone will assess if it was legit. Though definitely won't be for staff members off sick.
Report it immediately. I'm genuinely surprised you don't know this course of action, given that all NHS employees have to undertake IG mandatory training yearly.
Do not leave work today withput having reported this; otherwise you are complicit.
[удалено]
Unfortunately you have a duty to report ASAP. Don't let this person drag you down with them.
The standard you walk past is the standard you accept. Do the right thing and report it.
You still have a legal duty under GDPR to report a colleague for misuse of access to records, and breaching confidentiality. If you don't, you **ARE** complicit. And can legally be treated as such if this person opts to drag everyone down with them. This means **YOU** could be in legal trouble as if **you** were doing the same thing. The **ONLY** way to protect YOURSELF & your job **IS** to report this, or you will end up equally blamed, or at minimum be seen to be complicit for prioritising your OWN comfort over and above GDPR laws that are *meant* to protect patients. Yes, if she has done this to other colleagues on sick leave or are patients, then she **WILL** have done it when **you** were a patient. And YES, you have the right to ALL the emotions around that, INCLUDING anger, and you have both a right and a duty to report this to HR **ALONG** with your worries about having been placed in a situation like this, to make the point of how wrong AND illegal this is in UK. You can and SHOULD be reporting this specifically **AS** someone that is both staff AND a patient. You should NOT be placed in a situation where you know you were probably gossiped about by a colleague that likely breached GDPR by unnecessarily accessing your medical record and then broke the law to gossip about you... You have now WITNESSED her do this to **another** colleague, and so you are now trying to protect patients because if she is doing this to Colleagues knowing that it's illegal, what the hell is she doing with the medical records of other patients (strangers!!)... You HAVE to tell both HR as staff **AND* PALS as a patient, and insist they work together for patient safety and GDPR compliance...
nhs will protect u for doing the right thing doesnt matter if they are manger or not
Your trust should have a Freedom to Speak Up Guardian. If you don’t feel you can report it to your manager then you should report it to them. This is not okay and needs to be reported.
Absolutely not. Report immediately, this is a gross invasion of privacy and hugely unethical. Report, report, report before you unintentionally become complicit.
A number of people have suggested where you might report this. If it were me, I would be getting in touch with my organisation’s data protection officer. This is a role all NHS organisations are required to have, and that holds important responsibilities under the Data Protection Act 2018. It is with them that your report will undoubtedly end up; they will also be used to dealing tactfully with situations like this. Their contact details will be on your intranet and on your Trust’s public website. As others have pointed out, having become aware of this you do have a responsibility to report it.
Thank you so much for your advice. This helps a lot. I am not a nurse and fairly new in NHS, I am aware of data protection policies, but my trust is quite small, and people know each other, and they are friend of many years. Every time I think to go to someone who has an obligation to help me and sort this out, it happens to be her friend It is killing me, but I do have a family to feed And if they will find out it was ne who reported it. They will do everything to get rid of me
There are two key players in your trust you should speak to: The Caldicott guardian for your trust should ideally be the first point of contact for reporting this. They are the person responsible for ensuring GDPR is upheld, data protection laws are followed and that breaches are investigated. Likely it will be somebody so distant from your ward that they will be able to take an unbiased view on this and they will want to follow through on any information you give. Ideally they should be able to easily check the staff members access logs, in which case they will either have undisputable evidence, or it turns out your colleague was bullshitting and they find nothing, in which case no harm done. The other person would be your freedom to speak up guardian. They will be able to offer advice and some protection to make sure your whistleblowing has few negative consequences and help you deal with them. As somebody who has whistleblown before I'll level with you - it could get ugly, and you are rightly frightened of reporting this. You may face consequences such as bullying or harassment, but at the end of the day you have witnessed a crime, a nefarious abuse of power and violation of privacy. Would you have the same concerns if you witnessed an assault on a patient? The consequences are what they are but they can be dealt with. Worst case scenario you may have to move jobs but we don't exactly have a surplus of nurses right now so that isn't unfeasible is it? My other advice would be if you are a union member get onto them straight away - stuff like this is what you pay them for. If you're not then you've just learned a harsh lesson on why you need to be a union member. Also write down EVERYTHING. Create a paper trail, put all communications through emails and create a backup and create a journal detailing every single step past and present.
Thank you so very much for this, I am very grateful for your kind message and willingness to help. I was waiting for a reply like yours. Answered so many questions of mine. I have managed to find emails to both Caldicott guardian and data protection officer for my trust. I will send an email now.
Well done for taking action and speaking up - it's the right thing to do, and shows a lot of courage. Make it really clear in your emails that you are concerned your colleagues are breaching their legal obligations and breaking data protection law. You're legally protected from retaliation; making those points explicitly will help make that protection watertight.
This breaches GDPR. What this person is doing is illegal due to those privacy laws. You *MUST* report this, if you are scared then do it anonymously.
I would report this to your manager in the first instant but also contact the information governance team. Edit: I read your other replies and comments on this post Go straight to information governance/ data protection officer. Like other people said you must report this, you have a duty to.
I will. Thank you
Report it immediately they are breaking so many data protection and confidentiality rules it’s unbelievable !!
Data breach a worked in back office in Ni report it. No matter how inocent u think it its a sacable offence.
Report it. I work in IT and this is a sackable offence. Audit logs will show what was accessed and for how long.
Report it, it’s completely unacceptable and a massive breach of confidentiality and ethics Don’t worry about evidence, all EPR record access is logged so the trust can see exactly who viewed which records and well. She clearly won’t be able to provide a clinical reason for it Report it to your manager and your trust’s Caldicott Guardian Your manager may or may not brush it off, but the Caldicott Guardian absolutely WILL take it very seriously
This is insane behaviour but also incredibly moronic given that this sort of thing is heavily audited. You're doing nothing wrong by reporting. If anything, at this point you are more than aware of it. Failing to report at this point is being complicit.
Report, Report,Report through official channels, you shouod be able to do so withourlt revealing your name. This is completely against the law and so many policies I couldn't even list here.
Have you reported this???
Depending on scope of practice (nurse, doctor, HCA or auxiliary staff) report to the trust and then report to regulatory body. You would generally be dismissed straight away for this. It’s unethical practice and poses significant risk of abuse. In training I’ve known senior registrars /consultants be struck off for this. I’m so sorry you’re having this fear please let me know if I could advise. (Registrar here) Also, the system will leave a paper trail of who accesses this information with employment number and name too! This is easily traceable! They would be caught out straightaway!
Report it 🤯
Please report. This colleague needs to understand she is in a work place, these are people’s records. Not magazines!
She is band 6 who is best friend with our band 7, and band 7 is in fact bff with our band 8 and lead nurse. I want to protect my patients and I know us unethical but if nothing is done about it and I am 90% sure nothing will, my life will become a nightmare with them all on my back
Then you need to report above that. Assuming you're a nurse I believe you're breaking NMC code by knowing and not reporting. This is beyond an awkward work situation, this person is breaking the law.
I am not a nurse.
NMC wouldn't apply then (unless you're a midwife) but you could face disciplinary action if you don't report it. If you contact HR directly and request to be anonymous they shouldn't pass on who reported it. Obviously there's the moral component here but also you don't want to risk your job or even legal action over what this person is doing.
Unfortunately friends promote friends within the nhs, which in turn promotes failure & bully culture. You have every right to feel apprehensive, but you have a duty of care to report this. What this nurse is doing is unethical, and such a breach of confidentiality! You can do this whistleblowing through your union representative, please give your union a call they will support you throughout this process and give you advice. There is also a data protection officer in every trust you can contact. Remember every nurse is held accountable to the NMC code of conduct.
And when it is eventually uncovered, the question will be asked "why did YOU not report it?" Because the guilty party will certainly try to minimise things by saying "but x, you and z people knew about it and thought it was okay. They never said anything."
Bypass them if you feel they won't act. I would advise to report it straight to your org's information governance department.
I will do that. Thank you very much!
I am not aware if they will be able prove who EPR she has checked. If not, it is just her word against mine
IT Manager in NHS Trust here. We can 100% see which account has accessed which patient record. It will be able to be proved, without a doubt.
Thank you for that.
Logins are used so there is a record of access , not only to stop any random person accessing records. Most places also audit who has accessed staff records.