Publish date: 5 May 2026
Following recent media coverage concerning the inappropriate access of patient records within the NHS, we would like to take this opportunity to remind all staff of their responsibilities under NHS confidentiality and information governance requirements. Patient records must only be accessed on a strict need‑to‑know basis and only where there is a legitimate relationship for the direct care of a patient or service user, or another clear, lawful work‑related purpose. This is in accordance with the Caldicott Principles, the UK General Data Protection Regulation (UK GDPR), and the Data Protection Act 2018.
Accessing patient records without a legitimate, work‑related justification (including accessing records out of curiosity, personal interest, or for reasons unrelated to an individual’s role) constitutes a serious breach of confidentiality and trust. Such breaches may result in formal disciplinary action, up to and including termination of employment, and may also lead to regulatory or legal consequences.
All staff are reminded that access to patient information is monitored and that they are personally accountable for ensuring their access to records is appropriate, proportionate, and lawful at all times.