The Information Commissioner's Office has issued a direct public warning to NHS and healthcare leaders that unauthorised access to patient records is a criminal matter, not a disciplinary one, and that curiosity is not a lawful basis for viewing records.
Writing in a blog published on 22 June 2026, ICO Chief Executive Paul Arnold described the issue as primarily a "cultural failing" and called on senior healthcare leaders to take proactive steps to prevent breaches before they occur, rather than manage the consequences after the fact.
The ICO's intervention appears to be a direct response to two cases that received substantial public attention in May 2026 and which Arnold cites as evidence of a pattern rather than isolated events.
At University Hospitals of Liverpool Group, an internal access audit carried out in the days immediately following the Southport attack in July 2024 found that 48 members of staff had accessed the medical records of attack victims without a legitimate clinical reason. Among those affected was Leanne Lucas, the dance instructor who was injured in the attack and who has since spoken publicly about feeling her privacy had been invaded "when I was at my most vulnerable." The families of victims described the breach as "truly unbelievable." The trust reported the incident to the ICO in August 2024 but did not inform the patients themselves until May 2026, a delay that prompted the Care Quality Commission to investigate whether the trust had met its duty of candour obligations.
At Nottingham University Hospitals NHS Trust, investigations begun in early 2025 into the inappropriate access of records belonging to three victims of the 2023 Nottingham attacks - Ian Coates, Grace O'Malley-Kumar and Barnaby Webber - concluded in May 2026 with eleven members of staff dismissed and a further fourteen receiving disciplinary sanctions including final written warnings. Staff involved included doctors, nurses, registered professionals and administrative and clerical colleagues. Emma Webber, mother of Barnaby Webber, described the breach as "shocking" and suggested the actual number of staff who had accessed records could be as high as 150.
Referrals to the Nursing and Midwifery Council and General Medical Council are now being made in both cases, which may lead to individuals being struck off professional registers.
Arnold's blog, written in his capacity as ICO Chief Executive following John Edwards' departure as Information Commissioner, identifies the problem as principally one of organisational culture rather than technical failure and sets out what he considers the minimum expected response from healthcare organisations.
Arnold said that the ability to access a system is not the same as having a legitimate reason to do so. Knowingly or recklessly accessing personal data without authorisation is against the law, regardless of the reason, and that the consequences - disciplinary action, loss of professional accreditation, and in some cases prosecution - are real. The relevant criminal provision is section 170 of the Data Protection Act 2018, which makes it an offence to knowingly or recklessly obtain, disclose, or retain personal data without the controller's consent.
Drawing on evidence he gave to the Nottingham Inquiry, Arnold argued that when a local incident becomes national news, the risk of staff accessing records out of curiosity, or for more concerning reasons, increases sharply. Most healthcare staff understand and respect the distinction between access rights and access need, but a small minority do not, and organisations have a responsibility to make that distinction explicit and to reinforce it continuously.
Arnold highlighted what he described as genuinely effective practice: rapid, proactive messages from the most senior leaders in an organisation, sent at the point a serious incident occurs, clearly reminding all staff of their confidentiality obligations. He called on all healthcare organisations to make this a planned communications step in their response to high-profile incidents rather than a reaction triggered by a breach.
Arnold also called for training that is tailored to specific roles and makes clear which records individual members of staff are authorised to access and why, supported by appropriate technical controls such as access restrictions and audit logging so that breaches can be identified and investigated when they occur.
