Unauthorised Viewing of Medical Records Constitutes a Data Breach

Reading Time: 2 minutes


Shantanu Kulkarni | Data Protection Advisor

Date: 22 April 2024

The UK’s Information Commissioner’s Office (ICO) recently issued a statement pertaining to a question raised regarding viewing medical records without the consent of the person to whom the records belong. The ICO’s statement does not explicitly provide details about the origins of this query, however, certain news reports do indicate it to be connected to the Princess of Wales. 

In its statement the ICO clearly stated that the situation described in the question will result in a data breach. As a consequence the person viewing the records without consent/ permission may be exposed to a criminal proceeding.  

The ICO strongly emphasised the responsibility of organisations to ensure such incidents or breaches where sensitive medical information is involved, should be reported within the statutory timeline of 72 hours.   

To provide instances where the ICO initiated investigation proceedings resulting in fines, the ICO provided the following case studies/ examples: 

  • An NHS employee, fined for accessing medical records belonging to more than 156 data subjects without an appropriate cause, lawful basis or business need. Resultantly the employee was directed to pay a fine of £648.
  • A hospital (NHS Fife) was directed to improve data protection when an unauthorised individual was able to gain physical access to a restricted ward and view data belonging to 14 patients. This investigation resulted in NHS Fife being directed to implement specific technical and organisational measures by June 2024. 

In its statement the ICO has linked its guide on reporting a data breach. Similarly, for organisations located in Ireland, the Data Protection Commission has issued a guide on handling a data breach. To report a data breach to the ICO or the DPC, organisations can visit the dedicated webpages of the regulators to complete notification forms.  

To ensure that an organisation appropriately deals with data breaches or incidents we recommend implementation of the following steps: 

  1. Provide regular department or team specific training pertaining to common incidents or breaches that may likely occur and how to engage with the organisation when an incident has been caused or identified.  
  2. Develop a data protection by design culture that is built on a no blame approach firmly based on transparency as a core value. 
  3. Draft and implement a breach or incident response plan and policy.  
  4. Simulate breach situations to assess response times and actions taken by staff members. 
  5. Maintain a log of incidents and breaches that have occurred in the organisation. 
  6. In case of high risk situations, report incidents and breaches within 72 hours notwithstanding the completion of investigations. 
  7. Cooperate with the supervisory authority to ensure implementation of recommended mitigation measures. 


The ICO’s statement on the query submitted is a good reminder for all organisations to ensure confidentiality and security of personal data, especially when special category data is involved. It also indicates that organisations must have necessary technical and organisational measures such as access controls to ensure permissions to view the data are fit for purpose, based on business need. The ICO also reminded organisations of their obligation to report data breaches that affect the rights and freedoms of data subjects within 72 hours of discovery.  

Organisations can contact Trilateral’s experts to experience the STRIAD AI Assurance platform which simplifies the assessment and reporting process for incidents and data breaches and enables organisations to attain a high standard of compliance.  For more information, please contact our advisors to discuss your requirements. Our team would be happy to help. 

Related posts

AI is rapidly transforming industries. Take for example the legal field, which is traditionally conservative in relation to technology. More…

Let's discuss your career