GP practice staff snooping on patient records could face jail time, NHS England warns
GP practice staff and other NHS employees who access patient records out of ‘curiosity’ face dismissal or even prison time, NHS England has said.
Chief executive Sir Jim Mackey said in a letter that accessing records was ‘wholly unacceptable’ and ‘a disgraceful breach of patient trust’.
The letter was accompanied by new guidance which includes to staff across NHS, including GPs and their staff.
It comes after a series of reports of NHS staff being reprimanded or dismissed after inappropriately accessing health records of the victims of high-profile incidents.
Sir Jim also said the ‘damage caused to public trust’ by these incidents threatened the development of the Single Patient Record, which will compel GPs to share patient data with it.
The guidance highlights Pulse’s coverage of a 2017 case where a trainee medical secretary working in a GP practice who was fined for reading patients’ medical records for reasons unrelated to her job role.
Sir Jim said in his letter: ‘The majority of NHS staff handle patient information responsibly and professionally every day. However, a small minority of individuals undermine the trust that patients place in them and cause unnecessary distress and harm by accessing records without legitimate reason.
‘Aside from the harm caused, these staff members risk their own careers through disciplinary action, dismissal, referral to their professional regulator, and even criminal prosecution.
‘Every time a breach occurs there is also inevitable and lasting damage caused to public trust in the NHS overall and, specifically, our ability to safeguard people’s data – something which is critical to the long-term future of the NHS as we design technology like the Single Patient Record.’
He added: ‘Anyone considering accessing records for personal reasons or out of curiosity should be in no doubt they could be putting their career at risk, and may face disciplinary action, dismissal, referral to the regulator or even time in prison.’
The guidance reminds staff that accessing records unlawfully could lead to dismissal for gross misconduct as well as being reported to the GMC, Information Commissioner’s Office (ICO) and the police.
‘People who do this have been prosecuted by the Police and the ICO under the Data Protection Act 2018 and the Computer Misuse Act 1990. Committing such offences can result in fines and prison sentences. You will also have a criminal record’, it says.
Meanwhile, the guidance for organisations states that electronic patient records must be designed to create a clear audit trail to show who has accessed health and care records.
If an organisation does not have an automatic monitoring system, ‘you should have a process in place for manually checking access reports at regular intervals’, it says.
King’s Fund chief executive Sarah Woolnough welcomed the guidance and said ‘responsible handling of patient data’ would be key to the success of the single patient record.
She said: ‘Patients must be able to trust that their most sensitive personal information will be kept private and so it’s right that the NHS is taking firm action against ‘snooping’ staff who inappropriately access medical records. Sensitive health information should only be accessed by clinicians when there is a legitimate reason for it.
‘As ministers move forward with plans for a single patient record as part of the Health Bill, this and other efforts to digitise services present a major opportunity to deliver more joined-up care and information.
‘Done well, these reforms could help people take greater control of their health and navigate services more easily. To fully realise these benefits, however, public trust must be maintained through robust privacy safeguards and the responsible handling of patient data.’
It comes as the Health Bill, which is set to include legislation to create the Single Patient Record, is currently being debated in its committee stage.
One amendment to the bill proposes preventing the establishment of the SPR ‘unless a plan to prevent inappropriate access by clinicians’ has first been published.
Some GP leaders have also said there needs to be a wider consultation to define ‘appropriate’ access before the SPR is created.
Guidance on inappropriate records access
Types of unlawful access
- Intent to unlawfully access;
- Personal or professional curiosity
‘Personal or professional curiosity is never a legitimate excuse for accessing a patient’s record. Whilst you may not have a malicious intent, such actions are a severe breach of confidentiality, privacy and trust and will often cause significant distress for the impacted patient.’;
- Unlawful access for personal use
‘A common example is when staff members access their own records to check their notes or test results. This can also include accessing the records of friends or family with their permission, for example because they want your opinion on their care.
‘Even if the records are your own or you have permission from the person whose records they are, this is still unlawful, because you do not have a legitimate professional reason to access the record.’;
- Unlawful access with malicious intent;
- Unlawful access for ‘incompatible purposes’
‘Unlawful access may also occur when someone is allowed to access an individual’s record for one reason (for example, to provide care) but then uses it for a different work task that they are not allowed to use it for.’
Consequences
‘Accessing records unlawfully could lead to dismissal from your employment for gross misconduct and you being reported to professional regulators, the ICO and the Police. It could end your career.
‘Accessing patient records out of curiosity or for personal reasons is illegal and a criminal offence. People who do this have been prosecuted by the Police and the ICO under the Data Protection Act 2018 and the Computer Misuse Act 1990. Committing such offences can result in fines and prison sentences. You will also have a criminal record.’
Reporting unlawful access
‘If you think someone has looked at a record when they shouldn’t have, you must report this straight away in line with your organisation’s data breach reporting procedures. Unlawful access can in some cases be part of wider criminal behaviour. It also damages trust in health and care services and in some cases, can cause harm to the patient or service user.
‘If you have concerns about someone unlawfully accessing records or are not sure how to report this, you can speak to your line manager, Data Protection Officer, information governance (IG), Caldicott Guardian, safeguarding lead or a Freedom to Speak Up (FTSU) guardian.’
Source: NHS England
Related Articles
READERS' COMMENTS [5]
Please note, only GPs are permitted to add comments to articles


I think someone needs to correct the lack of understanding by the NHS in general and the Chief Exec as well, as to how care is provided in GP surgeries.
The statement “‘Unlawful access may also occur when someone is allowed to access an individual’s record for one reason (for example, to provide care) but then uses it for a different work task that they are not allowed to use it for.’ ” seems to fail to understand that all ‘work tasks’ in the Practice are for the same reason (to provide care), although this may extend to follow-up and audit.
Many GP surgeries are staffed by people who have friends and family on the Panel, because they live in same rural area. Is it really unlawful for them, when receiving a phone call from a patient they happen to know, to look up the answer to the question asked? staff and patients should know they are able to ask someone else to do it instead of the one answering the phone by chance, but to insist all staff who know anyone in the area get the sack is silly.
Is it no longer considered part of medical care to check up on patient’s notes to see if results have arrived yet, or see what outcome of a treatment was and if you need to call them again? – indeed by the wording of the guidance, I am not even allowed to look up the following week the phone number of a patient I saw last week to ask them for their consent to look for their results. General Practice would not work, and cannot provide care of any quality or even at all, if we follow these guidelines strictly.
In fact, the GMC puts upon us a duty to check back in notes at times, for example to check that referrals have been acted on, safeguarding concerns have been investigated, and to provide information to the Medical Referree. This last is apparently illegal now! I wonder what Coroners will say about that when we refuse to answer ME questions and insist on an inquest – where we will refuse to answer all questions put to us, because the law says we are not allowed to look up the answers!!!
NHS England, one of the worlds worst health care management organisations, keep churning out the regulations on your remote leisurely meetings, whilst simultaneously mismanaging the entire NHS in the unbroken continuing record of failure for staff and patients which probably is the aspect most warranting jail time.
Toothless threats from a failed and soon to be extinct organisation
It’s illegal for me to check my own test results from my own Practice, but I can check my results via the NHS App etc…? Please explain.
The focus of course is on the ghouls of Hospitals and GPs, but how will accountability be regulated when any and all private providers will start to gain access to the SPR? From health coaches or DWP coaches, to crystals or nutriceutical practitioners, who and how will ‘legitimate’ reasons be established and regulated?
We don’t like to admit this but, when patients own their medical records, really nobody does.
What happened to the phasing out of (NHS ENGLAND) and The newly formed DH plus
NHSE seems to be taking a long time dying