NHS staff to face sack or prison for unlawful patient data access
- 8 July 2026
- Sir Jim Mackey has warned NHS staff they could face dismissal or prison for accessing patient records without a legitimate reason
- NHS England has issued new guidance to help organisations prevent, monitor and investigate unauthorised access to patient records
- Cyber security expert Saif Abed says stronger auditing and enforcement are needed to tackle inappropriate access across the NHS
Sir Jim Mackey, chief executive of NHS England, has issued a stark warning to staff that they face the sack or even prison if they access patient records without a legitimate reason.
The head of the NHS today said that staff looking at medical records for personal reasons or out of curiosity was “wholly unacceptable, a disgraceful breach of patients’ trust and against the law” and would not be tolerated by the NHS.
His warning comes as the NHS launches a new campaign to remind staff what constitutes unlawful access, the potential impact on patients and what the consequences could be for their careers.
It follows several incidents of staff being dismissed after accessing the medical records of victims of high-profile crimes, including the Nottingham attacks. The medical details of a child seriously injured in a crocodile pit were also reportedly accessed by up to 40 members of staff.
Mackey said: “Patients must be able to trust that their personal information is kept confidential by the NHS – any instance of staff looking at records without a valid reason is wholly unacceptable, a disgraceful breach of patients’ trust and against the law.
“While the majority of NHS staff handle patient information responsibly and professionally every day, it’s been incredibly worrying that a small number have chosen to undermine the trust that patients place in them and caused such additional distress for families who deserved so much better from us.
“Anyone considering accessing records for personal reasons or out of curiosity should be in no doubt they could be putting their career at risk, and may face disciplinary action, dismissal, referral to the regulator or even time in prison.
“We will not tolerate a culture of curiosity when it comes to patient confidentiality – there is no place in the NHS for those who misuse patient information and together we will take firm action to prevent and monitor unlawful access, and to act decisively when that occurs.”
NHS England has published new guidance for all NHS organisations on preventing and monitoring unauthorised access as well as their responsibilities in investigating and reporting it.
The guidance sets out the different types of unlawful access and makes clear that, where it occurs, employers may report it to the Information Commissioner’s Office (ICO) and police, both of whom have the power to pursue a criminal prosecution, as well as to professional regulators, which can end a career.
It also outlines how monitoring and regular audits can be conducted depending on the IT systems organisations have in place.
For example, some newer electronic patient record systems may be able to identify potentially inappropriate access in real time, with the capability to set up alert ‘flags’ to identify suspicious activity.
Cyber security expert Saif Abed, founding partner at the AbedGraham Group, told Digital Health News: “Although I welcome Sir Jim Mackey’s warning, I question how effective it will be.
“Enforcement actions are notoriously weak when it comes to data privacy and, more broadly, cybersecurity across the NHS.
“Furthermore, NHS trusts struggle to audit their technology estate as it is, whether that’s looking for supplier or employee risks.
“This underscores the need for mandatory auditing and reporting requirements for trusts to the centre and I could see this being part of a future evolution of the Data Security and Protection Toolkit (DSPT).”
