Info Gov

Cambridge University Hospitals NHS Foundation Trust has referred itself to the Information Commissioner's Office after up to 40 members of staff accessed the medical records of a three-year-old boy treated at Addenbrooke's Hospital following a crocodile attack.

The boy, from Cambridgeshire, was seriously injured while in the crocodile enclosure at Johnsons of Old Hurst near Huntingdon on 18 June, with police called to the scene at 13:34 BST after he was pulled out by zoo staff; a 30-year-old man from Norfolk was subsequently arrested on suspicion of attempted murder and later bailed. The boy was taken to Addenbrooke's Hospital in Cambridge and, having initially sustained serious injuries, was confirmed by police on Monday to be "no longer critical" and in a stable condition.

A CUH spokesperson told InfoGov: "We have strict policies in place to safeguard patient data and we take any breach extremely seriously," adding that "we know the vast majority of our 13,000 staff understand the fundamental importance of maintaining patient confidentiality and uphold the highest professional standards."

The Trust said it is exploring whether there were legitimate reasons for the records to be accessed, with the spokesperson confirming that "where any member of staff is found to have accessed patient records without legitimate clinical or operational reasons we take robust disciplinary action, including dismissal," and that "as part of our response to any breach, we notify both the ICO and apologise to patients and their families affected."

The Trust operates an established process for restricting patient records where there is significant public interest, requiring anyone accessing a flagged file to input a valid care reason, and confirmed this restriction had been applied to the boy's record; it did not, however, prevent the reported access by around 40 individuals, and CUH has said there may have been valid reasons for some of this access but that the matter needs to be investigated. The Trust has notified both the ICO and the patient's family as part of the Duty of Candour process.

Under UK GDPR and the Data Protection Act 2018, accessing patient records without a legitimate clinical or operational purpose constitutes unlawful processing of special category health data, and unauthorised access can itself amount to a criminal offence under section 170 of the DPA 2018 regardless of whether the data is further disclosed.

The case emerged just days after the ICO warned health trusts to take proactive steps to prevent breaches before they occurthe ICO warned health trusts to take proactive steps to prevent breaches before they occur, rather than manage the consequences after the fact. In May, Nottingham University Hospitals NHS Trust dismissed 11 staff members for inappropriately accessing the medical records of the Nottingham attack victims.

Also in this section

Jul 13, 2026

ICO refreshes law enforcement subject access guidance following DUAA 2025

The Information Commissioner's Office has updated its detailed guidance on the right of access under part 3 of the Data Protection Act 2018, incorporating the changes made by the Data (Use and Access) Act 2025 to how competent authorities handle subject access requests for law enforcement processing.
Jul 07, 2026

Section 166 application dismissed after ICO opens fresh investigations into school, council and diocese data sharing

The First-tier Tribunal (General Regulatory Chamber) has dismissed an application under section 166(2) of the Data Protection Act 2018 against the Information Commissioner, despite finding that the regulator's original response to a school employee's data sharing complaint was not an outcome to the Applicant's complaints, because a series of further investigations and outcome letters issued after…
Jun 24, 2026

ICO EdTech audit finds widespread compliance failures in children's data handling

A programme of consensual audits carried out by the Information Commissioner's Office has identified systemic data protection failings across the UK education technology sector, with nearly 70 per cent of providers found to be acting as controllers over children's personal data without recognising or fulfilling that role.

InfoGov Masthead Newsletter 800