Skip to main content
Hafan

Curiosity is not an excuse: protecting patient data in healthcare

  • Date 22 June 2026
  • Type Blog

Paul Arnold is the ICO's Chief Executive Officer

""When people seek medical care, they share some of the most sensitive personal information about themselves. They do so out of necessity, and in trust that it will be in safe hands.  

When medical records are accessed without a legitimate reason, that trust is jeopardised. This can be deeply concerning for patients and their families, as we have seen recently with high-profile incidents in Nottingham and Southport. 

Across the UK every day, medical records are accessed thousands of times by healthcare staff who legitimately need this information to deliver the best possible care. Inappropriate access is rare and does not represent the behaviour of the vast majority of healthcare staff who take their duty of confidentiality extremely seriously. 

But it does happen, and we receive a number of reports from organisations about these breaches. Recent high-profile cases point not to isolated incidents but to a worrying trend that requires a serious response across the healthcare sector. 

As I highlighted in my recent evidence to the Nottingham Inquiry, I believe this is primarily a cultural challenge. When a local incident becomes national news - a serious crime, a public tragedy, a story that captures widespread attention – there is an increased risk that healthcare staff could be tempted to look at records they have no reason to view. 

In many healthcare cases, staff have legitimate access to these systems. Patients can be transferred to their care at a moment’s notice, and fast access to medical information is essential to delivering safe care. 

But having the ability to view a record is not the same as having a legitimate need to do so. Most of the time this distinction is well understood, but in rare cases it is clear that curiosity or more concerning motives can cause people to access information without authorisation.   

This is not an excuse. Knowingly or recklessly accessing personal data without authorisation for whatever reason is against the law. The consequences are real - disciplinary action, loss of professional accreditation and prosecution in some cases, and lasting harm to patients. And so is the damage done to the professional integrity of the many healthcare workers who do the right thing every day. 

It is important to remind organisations of this – so they can remind their staff of it too. Sometimes the steps needed to effectively protect personal data can be complex and technical. But sometimes it's the simple leadership and organisational measures that make all the difference to an organisation's culture. I wanted to share a couple of examples of the good practice we see today. 

When a serious incident occurs that is likely to attract significant public attention, quick and proactive communication with staff can prevent a breach before it happens. 

I have seen how simple and timely messages from the most senior leaders - clearly reminding all staff of their responsibilities towards patient confidentiality - have been a genuinely effective deterrent. I encourage every organisation to make this a standard part of their response to high-profile incidents in their community. 

Role-specific, tailored data protection training is also important. It must be absolutely clear to every member of staff which records they are authorised to access, and why. Appropriate technical controls - including access restrictions and audit logging - should reinforce those boundaries. And staff should also know exactly what to do if they become aware of a breach. 

There are organisations getting this right - investing in their people, building strong cultures of accountability, and treating data protection as integral to patient safety. Those that do invest in this way build the public trust that underpins everything else, including better care and genuine confidence in the healthcare system. 

The ICO has practical guidance to support that work, and we are committed to amplifying the good practice we see across the sector - working closely with NHS England and the National Data Guardian on how we can most effectively support the sector to address this issue. 

Every patient, regardless of who they are or what circumstances brought them into the healthcare system, has a right to privacy. Protecting that right is not a mere compliance obligation. It is a matter of basic trust - and that trust, once broken, is hard to rebuild. 

My suggestion to healthcare leaders is this: ask yourself honestly whether your organisation is doing enough to prevent unauthorised access before it happens.