A social worker has agreed to a three-year caution after being found to have forwarded multiple confidential documents to a personal email account.
The practitioner’s misconduct was only discovered after she had completed an agency stint with a council, which accessed her staff email account to retrieve material relating to work left incomplete.
The local authority found the social worker had forwarded more than 20 documents, including care plans, assessments and court statements, mostly unredacted to her Yahoo account during late 2017.
It referred the case to the Health and Care Professions Council (HCPC), which agreed a caution order by consent at a tribunal hearing in late March, after the social worker admitted the allegation in full. The social worker was not practising at the time of the hearing but hoped to return to social work, the tribunal noted.
Data breaches by social workers have been something of a regulatory grey area in recent times. A social worker escaped sanction in 2016 after self-referring to the HCPC and arguing he had forwarded emails to a personal account due to a “highly pressurised” work environment and disruption caused by a change in IT system.
In the wake of her being referred to the HCPC, the social worker in the recent case prepared a reflective statement acknowledging her misconduct. She also issued a written apology and completed remedial data protection training.
The social worker confirmed via her legal representative that she was prepared to admit that her fitness to practise had been impaired by her behaviour.
“The panel accepts that by her statement and by agreeing to the draft consent order, the registrant has shown both reflection and insight,” the tribunal said.
“She has further recognised the serious nature of the allegation made against her,” it added. “She has acknowledged the potential ramifications that her actions could have had on service users and the further impact that this conduct could have on the reputation of and public confidence in social workers.”
The data breach was an isolated incident in which no service users had been harmed and the risk of any similar future incident was low, the tribunal concluded in agreeing the sanction.
It added that even had a contested hearing taken place, it was unlikely that a stiffer punishment would have been imposed.