A MEDICAL practice’s data protection officer (DPO) has been warned to stop falsely claiming to be a qualified solicitor or he could face prison.

Paul Couldrey became DPO for Severn Valley Medical Practice earlier this year but has been told by the Solicitors Regulation Authority (SRA) to take “remedial steps” or he could face two years in prison.

On a number of occasions, including on his personal blog and in emails, Mr Couldrey has referred to himself as a “qualified solicitor” – though, according to SRA, has now admitted he has no such qualifications.

South Worcestershire Healthcare (SWH), which oversees over 30 practices, including Severn Valley, recommended Mr Cauldrey for the advisory role.

In a redacted CV from July, it states he has held similar roles for several primary care trusts as well as West Midlands Police as IT security manager and DPA legal advisor.

A DPO ensures that an organisation processes the personal data of its staff, customers, providers or any other individuals in compliance with the applicable data protection rules.

In literature produced by the SWH, it states: “Paul is a qualified solicitor” – while he even spoke at a Conferences 4 Health event in November 2017 and was listed in the programme notes as a “trained solicitor”.

Andrew Brown, a former patient at Severn Valley, which has surgeries in Henwick Halt and Lyppard Grange, alerted SRA to his suspicions following a dispute over access to personal data.

In an email from Mr Couldrey to Mr Brown on July 12 – seen by the Worcester News – he said he “was a qualified solicitor many years ago”.

In an email to Mr Brown on September 13, also seen by the Worcester News, SRA investigation officer Philip Saich said Mr Couldrey “was warned that pretending to be a solicitor is a criminal offence”.

He said it is “liable on conviction on indictment to imprisonment for not more than two years or to a fine, or both” under Section 20 of the Solicitors Act 1974.

In the email, Mr Saich went on to say Mr Couldrey “acknowledged he misled and would take action to amend or remove any misleading publicity and would clarify the position with those he engages with”.

He added: “I consider warning Mr Couldrey as I have done so, is sufficient deterrent from such repeated behaviour.

“Should it come to light that my warning was ignored, and the recommended steps not taken, we will consider criminal proceedings.”

In an email to Mr Brown on September 18, Mr Saich said that as Mr Couldrey is not SRA regulated, it is not possible for him to have breached the organisation’s rules, however.

In the same email, he confirmed Mr Couldrey “admitted to having pretended to be a solicitor” – including in an email to Mr Brown – “which is a criminal offence”.

Mr Brown said: “I consider my former practice was misled by the material they had about his service, claiming him to be a solicitor.

“It would be appropriate to expect them to take a robust view and not see it as trivial.

“Perhaps the members and perhaps their patients might now take a view on whether they want the responsible data protection advisory role performed by someone who is not the lawyer they claimed to be, even if he does represent an economically attractive option.”

Claire Gould, chief executive for SW Healthcare, said, following the introduction of new GDPR regulations this year, “our practices felt that it would be useful to identify a service which could support them with queries about Information Governance”.

She said: “Mr Couldrey runs a business called PCIG Consulting. He has a degree in Law and a masters degree in Information Law and his roles both with the police and in healthcare have always been associated with information governance.

“We consider him to be an expert in his field.

“All of our individual member practices have the option of whether they wish to contract with PCIG Consulting – there is no overarching contract which restricts their choice.

“Those practices that have signed a contract with PCIG Consulting and have used Paul's services, are very impressed with the help and advice they have received.”

She added that being a qualified solicitor is not a requirement for becoming a DPO.

An SRA spokesman said: “We are investigating before we decide on any next steps. However, as this is an ongoing matter for us, we cannot comment any further at this time.”

South Worcestershire CCG and Paul Couldrey did not wish to comment when contacted by the Worcester News.

Severn Valley Medical Practice was unavailable for comment.