Stopping unlawful access to records guidance for health and care professionals
This guidance explains what unlawful access to records is and what organisations can do to keep information safe and check who is accessing health and care records.
Accessing patient records out of curiosity or for personal reasons is illegal. It causes real harm to patients and could end your career. Everyone working in health and care has a professional and legal responsibility to protect people’s confidential information. This includes accessing patient records only where there is a clear and legitimate reason and doing so in a way that respects patients’ dignity and trust.
Accessing records for any reason other than work purposes is both unethical and illegal. If you intentionally access people’s health and care records without an appropriate and approved work reason, you may be committing a criminal offence under the Data Protection Act 2018 and Computer Misuse Act 1990. It is also a serious breach of your employment contract and could result in disciplinary action, including dismissal. It could also result in a referral to your professional regulator and could end your career.
If you are found to have accessed a patient’s record without a lawful reason for doing so, that conduct may be reported by your employer to the Information Commissioner’s Office (ICO) and Police, both of whom have the power to pursue a criminal prosecution.
If, when performing your role, you access a record by mistake, that will not amount to unlawful access. For example, you might open the record of a person with the same name as the person you are treating. However, you should report this to your organisation as soon as possible so they can make sure their controls are working properly.
Types of unlawful access
There are different types of unlawful access. The following examples highlight some of the different cases of unlawful access.
Intent to unlawfully access
This is when a person purposely tries to look at a record they are not allowed to see but the system stops them, for example by blocking their access.
These might be identified by checking records of searches or using systems that trigger alerts.
Personal or professional curiosity
This is when someone views a record out of curiosity and not because they need to for their job.
This may involve accessing the records of:
- friends, family or colleagues
- individuals of local or national media interest
- patients or service users you have seen in the past, when you do not have a valid reason to do so
Personal or professional curiosity is never a legitimate excuse for accessing a patient’s record. Whilst you may not have a malicious intent, such actions are a severe breach of confidentiality, privacy and trust and will often cause significant distress for the impacted patient.
An example involved a nurse accessing records of people he knew. This included a friend’s record to check blood test results. The nurse stated he was worried about his friend’s health and wanted to check which tests were being done. This is not a valid work reason, it was unacceptable and unlawful and it caused the patient considerable distress.
Unlawful access for personal use
This occurs when someone uses their access to health and care records for a personal reason which is not part of their job.
A common example is when staff members access their own records to check their notes or test results. This can also include accessing the records of friends or family with their permission, for example because they want your opinion on their care.
Even if the records are your own or you have permission from the person whose records they are, this is still unlawful, because you do not have a legitimate professional reason to access the record. You may see information that would not otherwise be disclosed to you or the person whose record it is, including information that may cause you harm, or which is about another person and which is confidential. This is considered a breach of confidence, trust and abuse of access.
You can access your own records legitimately through online patient access services and the NHS App. When you view your information through these services, that has been approved by a clinician who is responsible for treating you and has decided that this information is appropriate to disclose. This protects you and the privacy of other people.
Unlawful access with malicious intent
In some cases, unlawful access can involve malicious intent, such as intent to cause harm. This could include stalking, harassment or causing distress to individuals.
An example of a case involved a health worker accessing the records of her ex-partner's family. She used updated contact details to make nuisance phone calls to her ex-partner’s family.
Unlawful access for incompatible purposes
Unlawful access may also occur when someone is allowed to access an individual’s record for one reason (for example, to provide care) but then uses it for a different work task that they are not allowed to use it for.
In one case, a healthcare professional accessed a patient’s record during a telephone triage call to provide care. Later, when the patient made a complaint, the same healthcare professional went back into the record to collect information to support their defence.
While health records may be required to be used by organisations in the event of a complaint, this should be done through approved channels and people approved to access the record for the purpose of investigating complaints.
The access by the healthcare professional was not aligned with their role or reason for having access to the record.
'Professional, but incompatible' access may also occur where staff have multiple roles within an organisation.
If you hold more than one role in an organisation, you must only use your access under the role and purpose that your organisation has approved. You should not use direct care access routes to support non-direct care activities, for example, complaints management, legal defence, HR or disciplinary activity. Your organisation should have specific processes and routes for accessing records for these purposes. If you need to use records for a new purpose, you should always check this with your organisation first.
Consequences of unlawfully accessing records
Unlawful access can have a significant impact on individuals and cause harm. People trust health and care providers to keep their information safe. If trust is broken, people might hold back important information. These breaches can affect people's health, personal life and work.
Breaches of confidentiality can leave people feeling deeply distressed, reluctant to use health and care services and prevent them from disclosing information that may help them receive better care.
Accessing records unlawfully could lead to dismissal from your employment for gross misconduct and you being reported to professional regulators, the ICO and the Police. It could end your career.
Accessing patient records out of curiosity or for personal reasons is illegal and a criminal offence. People who do this have been prosecuted by the Police and the ICO under the Data Protection Act 2018 and the Computer Misuse Act 1990. Committing such offences can result in fines and prison sentences. You will also have a criminal record.
There have been a number of cases reported in the media which highlight the potential for legal and disciplinary action following unlawful access to records in health and care:
11 NHS staff fired for accessing records of attack victims.
Nurse fined for accessing hospital records.
Employee illegally accesses medical records.
GP secretary fined for reading medical records.
NHS secretary fined for illegally accessing medical records.
Monitoring access to records
Electronic health and care record systems keep a log of who has searched and accessed which record. Audits of access are routinely carried out. Access that seems unusual or has no clear reason will be investigated and dealt with in line with your organisation’s procedures.
Individuals can request information about who has accessed and contributed to their health record by making a subject access request (SAR). This means they can review who has accessed their own record and report anything unfamiliar to the organisation for investigation.
For further information on monitoring, please see the section for IG professionals.
Reporting unlawful access
If you think someone has looked at a record when they shouldn’t have, you must report this straight away in line with your organisation’s data breach reporting procedures. Unlawful access can in some cases be part of wider criminal behaviour. It also damages trust in health and care services and in some cases, can cause harm to the patient or service user.
If you have concerns about someone unlawfully accessing records or are not sure how to report this, you can speak to your line manager, Data Protection Officer, information governance (IG), Caldicott Guardian, safeguarding lead or a Freedom to Speak Up (FTSU) guardian.
Last edited: 8 July 2026 4:16 pm