Hospital staff embroiled in a privacy probe involving the Princess of Wales will likely be facing disciplinary action, an expert has warned.
The Mirror revealed an investigation is underway at the world-renowned The London Clinic into claims Kate's confidentiality was breached while she was a patient in January. At least one member of staff was said to have been caught trying to access the 42-year-old's medical notes.
The future Queen had abdominal surgery at the London hospital in January, and stayed for a fortnight as she recovered before returning home to Windsor.The allegations are the latest blow to hit Kate, whose absence from public life over the past two months has led to wild conspiracy theories on social media about her whereabouts and health.
Now, an employment expert has outlined the likely next steps for accused staff, while a data protection expert has suggested Kate could well claim compensation. Employment partner Tracey Guest at law firm Slater Heelis told the Mirror: "Any hospital employee who has accessed Kate Middleton's private medical records, without any proper work reason to do so, is at risk of being dismissed due to gross misconduct.
"Previous cases for dismissal relating to confidential information have held that it is important for employers to have policies in place which make it abundantly clear to employees that unauthorised interference with computers/accessing confidential information unnecessarily will carry severe penalties.
"No doubt all hospital employees will have been given contracts of employment where confidential information is a key term; and it is likely that the hospital will have policies in place to make it clear that unlawfully accessing patient confidential information is likely to amount to gross misconduct."
The next steps to follow will depend on the alleged employee's years of service at the clinic. Tracey continued: "If an employee has two or more years' service, the hospital will need to follow a fair procedure prior to dismissing an employee, otherwise they will be at risk of a claim for unfair dismissal.
"This means that the hospital should require the employee to attend an investigation meeting, where the allegations are put to the employee and the employee is given a chance to respond and put forward any explanation/deny the allegations. If the Investigating Officer decides that there is a case to answer, the employee must then be required to attend a disciplinary meeting.
"The employee should be advised in advance in writing of the disciplinary allegations against them and warned that a possible outcome may be dismissal. The employee should also be given the right to be accompanied to the disciplinary meeting by a fellow employee or trade union representative of their choice. If an employee is dismissed, they should be given the right to appeal the decision."
It is likely that accessing medical records without any proper work reason is also a breach of data protection, and these allegations would also be discussed with the employee concerned, Tracey explained. Meanwhile, the employees' alleged actions causing reputational damage to the hospital will also be assessed.
"Given the publicity surrounding this matter, this allegation would be genuine and could provide a further reason to warrant dismissal for gross misconduct (subject to the findings of any appropriate investigation and disciplinary)," Tracey added, before suggesting: "Any employee involved in accessing medical records without a proper reason to do so may be best advised to resign, in order to avoid having a dismissal on their records."
The clinic's boss said that all appropriate investigatory, regulatory and disciplinary steps will be taken when looking at alleged data breaches. Al Russell, said in a statement: "Everyone at the London Clinic is acutely aware of our individual, professional, ethical and legal duties with regards to patient confidentiality. We take enormous pride in the outstanding care and discretion we aim to deliver for all our patients that put their trust in us every day.
"We have systems in place to monitor management of patient information and, in the case of any breach, all appropriate investigatory, regulatory and disciplinary steps will be taken. There is no place at our hospital for those who intentionally breach the trust of any of our patients or colleagues."
It is a criminal offence for any staff in an NHS or private healthcare setting to access the medical records of a patient without the consent of the organisation's data controller. Looking at somebody's private medical records without permission can result in prosecution from the Information Commissioner's Office in the UK.
A spokesperson for the data watchdog said: "We can confirm that we have received a breach report and are assessing the information provided." Jon Baines, Senior Data Protection Specialist at Mishcon de Reya, outlined what this would mean and suggested that Kate could claim for compensation.
"Any investigation by the ICO is likely to consider whether a criminal offence might have been committed by an individual or individuals," he began. "Section 170 of the Data Protection Act 2018 says that a person commits an offence if they obtain or disclose personal data 'without the consent of the controller'. Here, the controller will be the clinic itself.
"Although there are defences available to someone charged with the offence - such as that they reasonably believed they had the right to 'obtain' the personal data, or on grounds of public interest - such defences are unlikely to apply where someone knowingly accesses patient notes for no valid or justifiable reason.
Mr Baines explained that an offence is only punishable by a fine. In England and Wales, although the maximum fine is unlimited, there is no possibility of any custodial sentence.
"A further area of potential investigation for the ICO will be whether the clinic itself complied with its obligations under the UK GDPR to have 'appropriate technical or organisational measures' in place to keep personal data secure.," the data expert continued. "Serious failures to comply with that obligation could lead to civil monetary penalties from the ICO, to a maximum of £17.5m although, in reality, given that such civil fines must be proportionate, it is rare that such large sums are even considered by the ICO.
"Individuals, such as - in this case - The Princess of Wales, can also bring claims for compensation under the UK GDPR, and for 'misuse of private information', where their data protection and privacy rights have been infringed."
Mr Baines added: "Whatever the outcome from the ICO, anyone working in an environment where they might have access to personal data, particularly of a sensitive nature, should be aware that there are potential criminal law implications arising from unauthorised access, and any organisation holding such information should ensure it has appropriate measures in place to prevent, or at least reduce the risk, of such access."
Earlier today, a health minister said police have "been asked to look at" whether staff at The London Clinic attempted to access the Princess of Wales' private medical records. MP Maria Caulfield, who is a nurse serving as Parliamentary Under-Secretary of State for Mental Health and Women's Health Strategy, said there could be “hefty implications” if it turns out anyone accessed the notes without permission, including prosecution or fines.
When questioned whether it should be dealt with as a police matter, Ms Caulfield told LBC: “Whether they take action is a matter for them. But the Information Commissioner can also take prosecutions, can also issue fines, the NMC (Nursing and Midwifery Council), other health regulators can strike you off the register if the breach is serious enough. So there are particularly hefty implications if you are looking at notes for medical records that you should not be looking at."
Reassuring listeners, she also told Times Radio: "For any patient, you want to reassure your listeners that there are strict rules in place around information governance about being able to look at notes even within the trust or a community setting.
"You can't just randomly look at any patient's notes. It's taken extremely seriously, both by the information commissioner but also your regulator. So the NMC (Nursing and Midwifery Council), if as a nurse, you are accessing notes that you haven't got permission to access, they would take enforcement action against that. So it's extremely serious.
"And I want to reassure patients that their notes have those strict rules apply to them as they do for the Princess of Wales." Kensington Palace refused to confirm what Kate was being treated for at the time of the announcement she had surgery but later confirmed the condition was non-cancerous.
An official statement read: "Her Royal Highness The Princess of Wales was admitted to The London Clinic yesterday for planned abdominal surgery. The surgery was successful and it is expected that she will remain in hospital for ten to fourteen days, before returning home to continue her recovery."
The Palace also raised that they wanted to keep her health concerns private, adding: "Based on the current medical advice, she is unlikely to return to public duties until after Easter. The Princess of Wales appreciates the interest this statement will generate. She hopes that the public will understand her desire to maintain as much normality for her children as possible; and her wish that her personal medical information remains private.
"Kensington Palace will, therefore, only provide updates on Her Royal Highness' progress when there is significant new information to share. The Princess of Wales wishes to apologise to all those concerned for the fact that she has to postpone her upcoming engagements. She looks forward to reinstating as many as possible, as soon as possible."
As speculation has swirled regarding the Princess' whereabouts, Kate was most recently seen stepping out in public with Prince William for the first time at the weekend. The couple, dressed in sportswear, were spotted walking with shopping bags at a farm shop close to their home on the Windsor estate.