22/05/2026
This week’s reports that multiple NHS staff were dismissed or disciplined for unlawfully accessing the medical records of victims of the Nottingham attacks have shocked many people.
From a data protection perspective, they should also serve as a serious warning to every organisation handling sensitive personal data.
According to reports, Nottingham University Hospitals NHS Trust dismissed 11 staff members and issued written warnings to 14 others following investigations into inappropriate access to patient records connected to the 2023 attacks. It also appears that this may not yet be the end of the extent to which colleagues accessed the records. The families involved have also questioned whether the number of staff said to have had “legitimate” access was itself far too high.
Cases like this cut through the common misconception that data protection breaches are mainly about hackers, ransomware or cyber attacks.
Very often, the greatest risk comes from inside the organisation.
“Just looking” is still unlawful
One of the most persistent myths in workplaces is the idea that if an employee technically can access information, then accessing it is somehow acceptable.
It is not.
Under UK GDPR and the Data Protection Act 2018, personal data must only be accessed where there is a clear and lawful business need to do so. Accessing records out of curiosity, personal interest, gossip, or because a case is high-profile is unlawful processing of personal data.
Healthcare records attract particularly high levels of legal protection because they contain some of the most sensitive and personal information imaginable.
The fact somebody works for an organisation does not give them unrestricted entitlement to browse confidential records.
“Need to know” is not simply a workplace phrase. It is a core data protection principle.
The harm is not theoretical
What makes incidents like this particularly serious is that the damage is not merely technical or administrative.
Families grieving unimaginable loss are forced to confront the possibility that deeply personal medical information may have become the subject of workplace curiosity.
That creates a secondary harm which organisations often underestimate.
Public trust in healthcare, councils, policing, and other public services depends upon people believing their information will be treated with dignity and restraint. Once that trust is damaged, rebuilding it is extremely difficult.
People disclose intensely personal information because they believe it is necessary for their care, protection or public service delivery, not because they expect it to become a topic of internal interest.
Policies alone are not enough
Most organisations already have confidentiality clauses, mandatory training and records access policies.
Yet incidents like this still happen.
Why?
Because insider misuse is often a culture and governance issue as much as a policy issue.
Effective compliance requires more than uploading an e-learning module once a year. Organisations handling sensitive data should have:
- role-based access controls;
- strong audit logging and monitoring;
- clear confidentiality expectations;
- proactive investigations into suspicious access;
- meaningful disciplinary consequences;
- leadership messages reinforcing professional boundaries.
Critically, staff must understand that “I was only looking” is not a defence.
Audit trails matter
One important lesson from this case is the importance of system monitoring and audit capability.
Modern systems frequently record:
- who accessed records;
- when they accessed them;
- what they viewed;
- and sometimes how long they remained within files.
Without those audit capabilities, organisations would struggle to detect inappropriate access at all.
The fact this conduct was identified and investigated demonstrates why monitoring mechanisms are essential safeguards rather than optional extras.
This is bigger than the NHS
Although this case relates to healthcare records, the underlying issue applies across all sectors.
Councils, schools, housing providers, HR teams, police forces and private companies all hold sensitive personal information which employees may be tempted to access inappropriately.
High-profile incidents, internal investigations, neighbour disputes, employee records and local gossip can all create risks where professional boundaries begin to erode.
That is precisely why confidentiality obligations exist.
Data protection is not just paperwork, it is human rights in practice
Data protection is often dismissed as bureaucracy, training modules, policy documents. or my own pet hate…, “just another tick-box exercise”.
In reality, its foundations are much more important than that.
At its core, data protection is about dignity, autonomy, confidentiality and trust. It is about recognising that personal information belongs to real people whose lives, health, relationships and vulnerabilities sit behind the records organisations hold.
The public must be able to trust that organisations, and the people working within them, will handle personal information lawfully, professionally and with restraint.
When that trust is breached, particularly in circumstances involving tragedy or vulnerability, the consequences are not merely regulatory. They are deeply human.
This week’s Nottingham case is therefore not simply an NHS disciplinary matter.
It is a reminder to every organisation that access to personal data is a responsibility, not a privilege.
If your organisation needs support with data protection governance, staff training, DPIAs, breach management or wider information governance compliance, please contact JH Data Protection Ltd at dpo@jhdataprotection.com.
Data protection is not about ticking boxes. It is about protecting people as well as your business.
JH Data Protection Limited 
Leave a comment