Last week, human error at an HIV clinic 56 Dean Street, a sexual health clinic operated as part of Chelsea and Westminster NHS Foundation Trust meant that details of 780 patients were disclosed. The data breach was committed through the email circulation of the clinic's "OptionE" newsletter to HIV positive patients. Those on the database should have been blind copied into the newsletter. Instead details were sent as a group email so all email addresses were visible to others.
This breach of sensitive personal data is extremely serious and the Information Commissioner’s Office is now making enquiries. By sharing these details with others the clinic has breached the Data Protection Act and could be fined up to £500,000. The breach has caused distress for many people who have not told friends or family. This action also brings the hospital into disrepute. A spokesperson for the hospital has said that it is too early to say if any action would be taken against the member of staff.
Without knowing the facts it is impossible to determine whether this was a matter of misconduct or poor performance. With so much communication now taking place via email it is important for every organisation to have an email and internet policy in place, even for a business with one employee or a charity staffed by volunteers.
Your email and internet policy should set out details of what is and is not acceptable.
- Be clear about the ownership of email addresses and the content and ownership of emails sent by the organisation. Email addresses and content included in emails belong to the business so the employee has no right to take the data and use it elsewhere.
- The policy should explicitly prohibit the unauthorised access of any other user's messages and the copying or transmitting of any documents, software, or other matter protected by the copyright laws.
- Clearly state that you have the right to monitor the electronic communications of employees and make it clear that an employee has no right to or expectation of privacy with respect to personal email messages sent over the organisation’s email system.
- Say specifically that threatening, vulgar or obscene communications and those including sexually, racially or otherwise offensive matter are forbidden.
- If you are dealing with particularly sensitive data, include rules and guidelines on how employees should deal with confidential information and trade secrets. They should also be aware that they should not forward any confidential messages or attachments from other companies without permission. Require employees to encrypt any confidential information that is sent via email and change passwords regularly.
- State that if an employee is found to be in breach of the email policy, this could result in disciplinary action, up to and including termination. If an employee witnesses email policy abuse they are required to report the incident immediately. Include contact details of who to contact if a violation of the policy rules is detected.
The appropriate use of emails can increase business efficiency but inappropriate use has the opposite effect. It may seem like common sense but the policy needs to be there in black and white, communicated, monitored and enforced in the event of breach.
Get in touch if you would like help resolving your HR concerns.
Subscribe to our free monthly HR newsletter. Russell HR Consulting employment law newsletters are emailed automatically to our ever-growing number of subscribers every month.
Latest blog posts
- Time Spent on Reconnaissance is Seldom Wasted
07 / 04 / 2021
- Are Staff on Sleep in Shifts Entitled to NMW for the Entire Shift?
24 / 03 / 2021
- How to Deal with Toxic Employees
10 / 03 / 2021
- Can I Make Vaccinations Mandatory?
24 / 02 / 2021
- Being Sent Distracted – and How to Avoid It
17 / 02 / 2021
- Speed It Up
09 / 02 / 2021
- Saying Goodbye Forever
02 / 02 / 2021
- Adapt or Die
27 / 01 / 2021
- Never Waste A Good Crisis
19 / 01 / 2021
- Up Close and Personal 12 / 01 / 2021