Stopping unlawful access to records guidance for IG professionals
This guidance explains what unlawful access to records is and what organisations can do to keep information safe and check who is accessing health and care records.
Preventing, monitoring and ensuring appropriate repercussions for unlawful access to records is an organisation-wide responsibility. While information governance (IG) professionals provide advice, oversight and assurance, other business areas also play a critical role.
Addressing unlawful access issues requires input and commitment from all areas of an organisation:
- The Board and senior leadership must set the tone and ensure accountability
- Line managers support appropriate access and must act on concerns
- HR should advise on any disciplinary processes
- The Data Protection Officer (DPO) and communications team should work with others to promote a culture of awareness and compliance
- IT and technical teams also have a role to play in advising on and establishing appropriate access and audit controls, which includes appropriate audit records and access analytics being made available and monitored
This section is intended to advise on what IG professionals need to consider to prevent and monitor unlawful access and does not cover other areas’ responsibilities in detail.
Relevant laws and standards
IG professionals should be aware of the key legal and professional frameworks that underpin the prevention and monitoring of unlawful access to records. These include:
- UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018: includes particular requirements relating to lawful processing, security, accountability and criminal offences for unlawful obtaining of personal data
- Computer Misuse Act 1990: which includes criminal offences for unauthorised access to computer systems, which may apply in cases of unlawful access
- Common Law Duty of Confidentiality: requiring that confidential patient information is only accessed and used where there is a valid legal basis such as consent
- Caldicott Principles: defining how confidential information should be used and accessed, including ensuring access is justified, necessary and proportionate
- Professional and organisational standards: including NHS codes of conduct, employment contracts, and professional regulatory requirements, for example from the General Medical Council and the Nursing and Midwifery Council
Preventing unlawful access
Culture, awareness and training
Culture and awareness play a key role in preventing unlawful access to records. The Board and Executive play a significant role in setting risk tolerance and establishing a compliance culture. If staff believe that records access is not monitored, or that unlawful access has no consequences, this can make unlawful access attempts more likely. Training, changing culture and raising awareness is likely to be a multi-team responsibility, requiring input from the Board, senior leadership, the DPO, communications, HR and learning and development teams.
DPOs have a statutory responsibility to advise organisations and employees about obligations to comply with UK GDPR and other data protection laws, as well as raise awareness of data protection issues and train staff. IG professionals therefore should work with relevant colleagues and lead and support initiatives to raise awareness and improve culture.
Under Article 39 of the UK GDPR, the DPO is required to monitor compliance and provide assurance on data protection practices. To fulfil this role, the DPO may require proportionate access to relevant information, including any investigation materials, to assess whether processes are robust, compliant, and effective.
To increase awareness and build a strong culture of confidentiality, you should consider:
- working with the Board, Executive and communications colleagues to increase communications and awareness about unlawful access. This should include providing information about monitoring activities, investigations and consequences of unlawful access, both within your organisation and more widely (for example by sharing Information Commissioner’s Office (ICO) enforcement details)
- sending regular reminders about appropriate access and monitoring controls through team meetings, intranet updates and leadership messages, especially during high profile incidents
- being clear in all communications that unlawfully accessing records is illegal
- working with other relevant business areas, such as HR, to provide clear guidance on what does and does not count as unlawful access and the potential disciplinary and legal consequences of unlawful access to records
- working with relevant leaders, system experts and learning and development teams to implement extra training for high-risk roles, such as staff with privileged or administrative system access or those who handle particularly sensitive data
- celebrating positive behaviour by recognising teams that show good practice in keeping information safe, working with communications, HR and using senior leaders to strengthen messaging
- encouraging incident reporting by regularly sharing details of data breach reporting procedures, including how to report concerns anonymously
The Data Security and Protection Toolkit (DSPT) requires organisations to ensure staff are appropriately trained and promote a strong culture of information assurance. This is reflected in principle B6 for large health and care organisations, and in assertions 1.1.5 and 3.2.1 for small to medium health and care organisations.
NHS England Data Security Awareness training can help meet your training requirement and support staff to understand how they should keep information safe. For social care organisations the Digital Care Hub (DCH) e-learning on data security and protection can be used to satisfy this requirement.
It is important to keep records of training and testing results in order to evidence that staff have been appropriately trained on these matters.
Communications campaign materials
Organisations therefore also need to supplement basic training with other relevant training and awareness. NHS England has produced some communications materials that can be used as part of a communications campaign to raise awareness of unlawful access and its consequences. You are encouraged to use these to run campaigns and raise awareness and you can access this material on the Department of Health and Social Care website.
Policies
To support staff to access records appropriately, you must have clear policies in place. This is an organisational responsibility requiring input from senior leadership, HR, security and IT teams. The policies should explain:
- what staff and teams are responsible for
- what is allowed and what isn’t allowed when accessing electronic health records
- how access to electronic health records is checked and monitored
- how to report concerns and incidents
- how investigations are carried out
- what happens if the rules are not followed
Your policy should link staff to other relevant documents, such as your HR, counter fraud and safeguarding policies and breach reporting procedures.
Make sure the policy is shared with all staff who can access electronic health records (see the section on Culture, awareness and training).
Policies are also an important part of DSPT compliance. For large health and care organisations, policies are required under principle B1 and help show information is used lawfully and appropriately under principle E3. For small to medium health and care organisations, they are required under assertions 1.3.1 and 1.3.2.
For social care organisations the Digital Care Hub has produced a number of template policies that may help you with this task.
Staff contracts
Staff employment contracts must clearly explain that employees must protect information and keep it secure. The NHS terms and conditions of service handbook outlines the following in the ‘Governance, confidentiality, data protection’ section:
35.46 All employees must comply with the UK General Data Protection Regulation (UK GDPR), informed by the Data Protection Act 2018.
Your organisation may use this wording, or similar wording in staff contracts to make this expectation clear. Any breach of the employment contract should be investigated and appropriate disciplinary action taken, in line with your organisation’s HR processes.
For social care organisations, the Digital Care Hub has produced a template staff data security clause for contracts that can be used.
Technical controls
It is important to have the right technical controls in place. This will help to stop people accessing a record when they shouldn’t and can also discourage it where blocking access is not possible or practical.
The right controls will depend on how the system is used. Each control should protect people’s information without stopping staff from doing their jobs. Implementing these controls is likely to be led by the appropriate security and IT departments and colleagues working with systems day-to-day, in order to ensure that controls work within your setting. IG professionals may be asked to support this work by advising on possible appropriate controls based on risk and completing the relevant assessments, such as data protection impact assessments (DPIAs).
Examples of technical controls that can help to prevent unlawful access include:
Role based access controls: these are usually managed by system administrators. This involves limiting staff access so they can only see records they need for their role. Access should be kept up to date so staff can access the records they need to do their job, and access is removed when it is no longer needed and when people leave the organisation.
Multi-factor authentication: this requires staff to prove who they are with at least 2 details (such as passwords, device details or biometrics) before they can access information. This helps prevent unauthorised users getting into systems. For more information see NHS England’s multi-factor authentication policy.
Separating sensitive data: this involves holding particularly sensitive data (for example, safeguarding, sexual health data) on separate systems with extra access restrictions.
Break-glass controls: extra checks are used when someone tries to access a very sensitive record or a record they would not usually access (for example, where someone tries to access the record of someone not under their team's care). Common examples include a pop-up asking the user to select or enter a reason for access to 'break the glass'. This discourages misuse and supports monitoring.
Data masking or redaction: it may be possible to redact or hide certain information within a record unless a user has the right level of access. This helps protect sensitive information when records are shared across different teams, as not all information is relevant for everyone.
Single sign on (SSO): this allows staff to log in once using a single set of credentials (such as a username and password or smartcard) and then access multiple systems without needing to sign in again. This can reduce risky behaviours such as password sharing or reuse, and allows organisations to centrally manage and monitor access across systems.
Responsibility for audit procedures
You should make sure that someone within your organisation is responsible for developing and setting standards on audit procedures. This may be your Senior Information Risk Officer (SIRO), Chief Information Officer (CIO), Caldicott Guardian, DPO, IG lead or equivalent, in partnership with safeguarding leads and heads of profession. IT and security colleagues should support this work.
How often you audit and the method of audit should be based on the level of risk. It may be appropriate to assign responsibility to the Information Asset Owner (IAO) for the system to ensure the right level of monitoring is in place and applied. Overall auditing controls can be overseen by the DPO, SIRO and Caldicott Guardian.
Auditing and monitoring activities could be undertaken by team managers, system managers and administrators, IAOs, security or IG teams. However, staff who work closely with a team are often best placed to identify unusual activity.
In shared care, integrated record or API-enabled environments, audit information may be held across more than one system or organisation. Organisations should understand where relevant audit logs are held, who can access them, how they can be requested, and how cross-organisation investigations will be coordinated. This should be documented in local procedures, data sharing arrangements or system operating models where relevant.
Monitoring unlawful access
Routine manual audits of patient record access
Electronic patient records (EPRs) must show who has accessed health and care records. If your organisation does not have an automatic monitoring system, you should have a process in place for manually checking access reports at regular intervals.
Manual audits can be difficult because of the number of records that are accessed in health and care organisations daily. Therefore, a risk-based approach to manual auditing will be required. This means focusing on higher-risk records or common warning signs that might suggest unlawful access (see the Flags for monitoring section for more information).
You may be able to design audit reporting practices which look specifically at higher risk records or those most likely to indicate unlawful access. For example, this could involve running a report on who has accessed clinical systems and comparing this with a report of records which have been long term inactive.
Organisations should have clear procedures for routine manual audits of the different health records their staff have access to including:
- how often audits are carried out
- how audit reports are reviewed and which activity should be prioritised
- who is responsible for carrying out audits
- how concerns about unlawful access are escalated and investigated
- how investigations will be managed and resourced
Reactive monitoring following complaints
Audit logs should be checked and investigated when complaints or concerns are raised by patients, service users or staff members.
If someone thinks a member of staff has accessed health records unlawfully or may not have followed confidentiality rules, this must be reported as a potential data breach in accordance with breach reporting procedures and investigated to confirm whether unlawful access has taken place.
User level monitoring
User level monitoring means checking the records accessed by a particular staff member on a particular electronic record system.
This may be carried out when there are concerns about a staff member’s access patterns. It can include spot checks on their activity to identify unusual patterns, such as accessing records outside of working hours or viewing inactive records.
Accessing health and care records is part of a staff member’s role, and there should be no expectation that this activity is private. Organisational policies should clearly explain that access to record systems is monitored in this way.
Patient and service user level monitoring
Patient and service user level monitoring means checking who has accessed the record of a specific individual.
This may be carried out where there is particular interest in the individual or a connection to the organisation. For example, individuals of local or national media interest may attract curiosity from staff and may therefore be at higher risk of having their record unlawfully accessed. Similarly, staff members receiving treatment within the organisation may be more likely to have their records accessed by colleagues.
Patient and service user level monitoring may also be used where an individual raises a concern about who has accessed their record.
Investigation of security alerts: break glass or overrides of privacy controls
Some records have extra security controls such as 'break glass' alerts or other additional privacy controls, as they may be more sensitive or need a higher level of security. When these alerts are triggered or the privacy controls are overridden, organisations should review the access to ensure it was appropriate. Regularly reviewing these cases can help identify unlawful access and encourage staff to be cautious when accessing sensitive records.
Live monitoring
Some EPR systems can use ‘live monitoring’ to check access as it happens and create alerts for certain types of activity. Setting up some alerts may require additional administrative resource and integration with other systems. Organisations should take a risk-based approach when deciding which controls are appropriate and involve senior decision-makers where needed.
Below are potential flags that may be used for live monitoring.
Flags for monitoring
The following are examples of record access activities that may suggest unlawful access and can in some cases be used for live monitoring.
A staff member has accessed:
- their own record (or a record with the same name as them)
- the record of someone who has died
- a historic or long term inactive record (older than one year)
- multiple records with the same surname
- the record of a colleague
- the record of a person related to them
- the record of a person who lives close to them
- the record of a person who is well known locally or nationally
- an unusually high number of records in a given time period (according to usual use patterns)
And:
- a staff member who has no child-specific role has accessed children's records
- a specific patient record has been accessed an unusually high number of times in a given time period (according to usual use patterns)
Roles and responsibilities in investigating unlawful access
Where unlawful access is suspected or identified, organisations should have clear processes in place to investigate and respond. Responsibility for these processes will usually be shared across multiple teams.
Leadership, for example, the Executive or Board, should:
- ensure that the processes are in place to investigate and respond to unlawful access
- champion the importance of ensuring that patient data is not unlawfully accessed
- ensure the organisation has a clear and consistent position on the potential consequences for staff in relation to any unlawful access to records
IG professionals and DPOs should:
- provide advice on data protection law, confidentiality, appropriate use of records and when use is unlawful
- support the assessment of whether unlawful access has occurred and advise on reporting, including regulatory requirements (for example, to the ICO where applicable)
- ensure that the appropriate incident response takes place where unlawful access to records constitutes a personal data breach. This may include ensuring that impacted individuals are notified
Line managers and operational leaders should:
- manage staff conduct and determine appropriate local action in line with organisational policies
- lead on disciplinary processes
HR should:
- advise on disciplinary processes and ensure that investigations and outcomes follow relevant policies, including referrals to professional regulators in relation to breaches of professional standards where applicable
- engage IG teams and DPOs in investigations to ensure that appropriate oversight and advice is provided at all times
Technical, digital or system teams should:
- support investigations by providing audit data, system access logs and technical insight into how records have been accessed
Caldicott Guardians and SIROs should:
- provide senior oversight and assurance that confidentiality and information risk is being managed appropriately
Legal should:
- advise on the criminal components relating to unlawful record access, for example, breaches of the Computer Misuse Act 1990 and appropriate action, including reporting the incident to the Police, in collaboration with HR colleagues
IG professionals should work collaboratively with these teams and individuals to ensure that investigations are informed by legal, technical and organisational considerations, and that responses are consistent and aligned with organisational policies.
Last edited: 8 July 2026 4:17 pm