Combating illegitimate access to patient medical records

A blog article by Paul Arnold MBE, Chief Executive Officer at the Information Commissioner's Office (ICO), discusses how unauthorised access to medical records jeopardises patient trust. While inappropriate access remains rare, recent high-profile incidents in Nottingham, Southport and London indicate a worrying trend that demands a serious response from the healthcare sector.

Arnold attributes this issue primarily to a cultural challenge. When local incidents become national news, healthcare staff may feel tempted to view records without a legitimate reason. Although staff require fast access to systems for patient care, the ability to view a record does not constitute a legitimate need. Knowingly or recklessly accessing personal data without authorisation is illegal and carries consequences such as disciplinary action, loss of professional accreditation, and prosecution, as well as any lasting patient harm it may cause.

To combat this, Arnold advises senior executives to issue quick, proactive communications that remind staff of their confidentiality responsibilities during public-interest events. Organisations should also provide role-specific data protection training, implement technical controls such as access restrictions and audit logging, and cultivate a culture of accountability in which data protection is treated as integral to patient safety.

Training Announcement: Freevacy offers a range of short one-day courses on a range of data-related subjects, including data protection topics such as conducting DPIAs and privacy-by-design, as well as how to use AI tools responsibly, cybersecurity best practices, and information access. The interactive sessions cover basic concepts through to advanced examinations of specific areas. Find out more.