Stopping unlawful access to records guidance for patients and service users
This guidance explains what unlawful access to records is and what organisations can do to keep information safe and check who is accessing health and care records.
When staff should access your records
Health and care staff should only look at your health or care records when they:
- are helping with your care
- need the information to do their job
- have permission for a specific reason, such as research
Unlawful access is when someone looks at your records when they do not need to for one of the above purposes.
Unlawful access may be a crime and the person responsible could lose their job.
Protections for your records
Health and care organisations must take steps to keep your records safe. They must ensure they have protections in place to stop people from looking at your records when they should not.
They may do this by:
- using secure computer systems
- keeping paper records in safe places, for example in locked rooms or filing cabinets
- keeping audit logs of who has looked at which records
- regularly checking for any access that does not look right
If you have concerns
If you are worried about who has looked at your records, you can:
- speak to the organisation giving you care
- contact the organisation’s Patient Advice and Liaison Service (PALS) or similar service
- ask to speak to the organisation’s Data Protection Officer (DPO), information governance (IG) team or Caldicott Guardian - you can usually find their contact details in the organisation's privacy notice
Last edited: 8 July 2026 4:16 pm