NHS staff to face sack or prison for unlawful patient data access

NHS staff to face sack or prison for unlawful patient data access
Sir James Mackey, chief executive at NHS England (Credit: NHS England)
  • Sir Jim Mackey has warned NHS staff they could face dismissal or prison for accessing patient records without a legitimate reason
  • NHS England has issued new guidance to help organisations prevent, monitor and investigate unauthorised access to patient records
  • Cyber security expert Saif Abed says stronger auditing and enforcement are needed to tackle inappropriate access across the NHS

Sir Jim Mackey, chief executive of NHS England, has issued a stark warning to staff that they face the sack or even prison if they access patient records without a legitimate reason.

The head of the NHS today said that staff looking at medical records for personal reasons or out of curiosity was “wholly unacceptable, a disgraceful breach of patients’ trust and against the law” and would not be tolerated by the NHS.

His warning comes as the NHS launches a new campaign to remind staff what constitutes unlawful access, the potential impact on patients and what the consequences could be for their careers.

It follows several incidents of staff being dismissed after accessing the medical records of victims of high-profile crimes, including the Nottingham attacks. The medical details of a child seriously injured in a crocodile pit were also reportedly accessed by up to 40 members of staff.

Mackey said: “Patients must be able to trust that their personal information is kept confidential by the NHS – any instance of staff looking at records without a valid reason is wholly unacceptable, a disgraceful breach of patients’ trust and against the law.

“While the majority of NHS staff handle patient information responsibly and professionally every day, it’s been incredibly worrying that a small number have chosen to undermine the trust that patients place in them and caused such additional distress for families who deserved so much better from us.

“Anyone considering accessing records for personal reasons or out of curiosity should be in no doubt they could be putting their career at risk, and may face disciplinary action, dismissal, referral to the regulator or even time in prison.

“We will not tolerate a culture of curiosity when it comes to patient confidentiality – there is no place in the NHS for those who misuse patient information and together we will take firm action to prevent and monitor unlawful access, and to act decisively when that occurs.”

NHS England has published new guidance for all NHS organisations on preventing and monitoring unauthorised access as well as their responsibilities in investigating and reporting it.

The guidance sets out the different types of unlawful access and makes clear that, where it occurs, employers may report it to the Information Commissioner’s Office (ICO) and police, both of whom have the power to pursue a criminal prosecution, as well as to professional regulators, which can end a career.

It also outlines how monitoring and regular audits can be conducted depending on the IT systems organisations have in place.

For example, some newer electronic patient record systems may be able to identify potentially inappropriate access in real time, with the capability to set up alert ‘flags’ to identify suspicious activity.

Cyber security expert Saif Abed, founding partner at the AbedGraham Group, told Digital Health News: “Although I welcome Sir Jim Mackey’s warning, I question how effective it will be.

“Enforcement actions are notoriously weak when it comes to data privacy and, more broadly, cybersecurity across the NHS.

“Furthermore, NHS trusts struggle to audit their technology estate as it is, whether that’s looking for supplier or employee risks.

“This underscores the need for mandatory auditing and reporting requirements for trusts to the centre and I could see this being part of a future evolution of the Data Security and Protection Toolkit (DSPT).”

Subscribe To Our Newsletters

Subscribe to our newsletter

Subscribe To Our Newsletter

Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related News

North East and Yorkshire trusts adopt tech for faster scan results

North East and Yorkshire trusts adopt tech for faster scan results

NHS England is expanding the rollout of Hexarad to help patients in the North East and South Yorkshire receive hospital scan results faster.
NHS backs rollout of integrated AVT as part of £10bn tech funding

NHS backs rollout of integrated AVT as part of £10bn tech funding

NHS England is rolling out AI tools across the health service, including integrated ambient voice technology, as part of £10bn tech funding.
Final speakers announced for Summer Schools 2026

Final speakers announced for Summer Schools 2026

The final round of speakers for Summer Schools 2026 has been announced, with experienced NHS digital leaders joining the line-up.