Shamim Sadiq, a GP practice manager at Hollybrook Medical Centre in Littleover, Derby, was suspended by her employer on 3 November 2017 for unrelated matters and dismissed later that month. In addition to being employed at the surgery, she was also employed by the Care Quality Commission as a specialist advisor for practice management, and as a result she still had access to her NHS email account following her suspension.
Another member of staff had been given access to Ms Sadiq’s NHS email account for business continuity following her dismissal. This member of staff found that Sadiq had forwarded an email from her work email account to her personal email account without a business reason to do so. It contained 13 application forms which had been submitted several months earlier for a vacancy at the surgery and included names, addresses, personal email addresses, national insurance numbers of candidates as well as further personal data of their referees.
The surgery reported the matter to the ICO and an investigation followed.
Sadiq subsequently admitted unlawfully accessing personal data and was fined £120, plus £364 costs and a victim surcharge of £30. Due to the timing of the incident, Sadiq was prosecuted under section 55 of the Data Protection Act 1998 and not the new Data Protection Act 2018.
As always, if you have a legal query please get in touch with the FSB Legal Helpline on 0345 0727727 and we'll be happy to assist you.