Information Commissioner responds to patient record snooping concerns

ICO chief executive officer Paul Arnold has responded to HSJ investigation which revealed more than 1,400 reports of unauthorised access to patient data were reported to the ICO since 2019.

Under the UK Data Protection Act and GDPR, every time a media record is accessed it is recorded via creates a digital audit trail.

Because access logs are detailed and secure, unauthorised snooping by NHS staff is strictly monitored and flagged.

The Information Commissioner’s Office (ICO) has prosecuted a number of NHS workers for patient record snooping.

Paul Arnold said: "When medical records are accessed without a legitimate reason, that trust is jeopardised. This can be deeply concerning for patients and their families, as we have seen recently with high-profile incidents in Nottingham and Southport.

"Across the UK every day, medical records are accessed thousands of times by healthcare staff who legitimately need this information to deliver the best possible care. Inappropriate access is rare and does not represent the behaviour of the vast majority of healthcare staff who take their duty of confidentiality extremely seriously. 

 "But it does happen, and we receive a number of reports from organisations about these breaches. Recent high-profile cases point not to isolated incidents but to a worrying trend that requires a serious response across the healthcare sector.

Having the ability to view a record is not the same as having a legitimate need to do so. Most of the time this distinction is well understood, but in rare cases it is clear that curiosity or more concerning motives can cause people to access information without authorisation.  

"Every patient, regardless of who they are or what circumstances brought them into the healthcare system, has a right to privacy. Protecting that right is not a mere compliance obligation. It is a matter of basic trust - and that trust, once broken, is hard to rebuild.

"My suggestion to healthcare leaders is this: ask yourself honestly whether your organisation is doing enough to prevent unauthorised access before it happens. "

Read More
Data

More news