NHS warns staff face sack or prison for inappropriately accessing patient data
Doctor on computer

The head of the NHS has warned that staff face the sack or prison if they access patient records without a legitimate reason.

The NHS has launched a new campaign to remind staff what constitutes unlawful access, the potential impacts on patients and what the consequences could be for their career.

The announcement follows several incidents of staff being dismissed from their posts after accessing the medical records of victims of high-profile crimes, including the Nottingham attacks.

NHS England has today published new guidance for all NHS organisations on preventing and monitoring unauthorised access, as well as their responsibilities in investigating and reporting it.

The guidance sets out the different types of unlawful access, and makes clear that where it occurs, employers may report it to the Information Commissioner’s Office (ICO) and police, which could lead to a criminal prosecution, or to professional regulators which could end a career.

Sir Jim Mackey, NHS Chief Executive, said: “Patients must be able to trust that their personal information is kept confidential by the NHS – any instance of staff looking at records without a valid reason is wholly unacceptable, a disgraceful breach of patients’ trust and against the law.

“While the majority of NHS staff handle patient information responsibly and professionally every day, it’s been incredibly worrying that a small number have chosen to undermine the trust that patients place in them and caused such additional distress for families who deserved so much better from us.

“Anyone considering accessing records for personal reasons or out of curiosity should be in no doubt they could be putting their career at risk, and may face disciplinary action, dismissal, referral to the regulator or even time in prison.

“We will not tolerate a culture of curiosity when it comes to patient confidentiality – there is no place in the NHS for those who misuse patient information and together we will take firm action to prevent and monitor unlawful access, and to act decisively when that occurs.”

Paul Arnold, ICO Chief Executive Officer, said: “When people seek medical care, they share some of their most sensitive personal information in the trust that it will be kept safe. Unauthorised access to those records is not just a breach of data protection law — it is a betrayal of that trust, with real and lasting consequences for patients and their families.

“Having the ability to view a record is not the same as having a legitimate need to do so. Every member of staff has a personal responsibility to respect that boundary, and every patient has a right to expect that they will. Staff who breach that trust face serious consequences: loss of employment, removal of professional accreditation and criminal prosecution.”