Most data breaches do not start with a hacker in a hoodie. Many start with a normal member of staff using a normal account to access a normal system.
That makes them harder to explain. The person may have a legitimate login. They may work in the right department. They may access the same system every day. The problem starts when they access information for the wrong reason.
This issue has returned to the headlines because of recent NHS incidents where staff looked at patient records without a clinical or operational need. The Information Commissioner's Office has warned healthcare organisations that curiosity is not an excuse and that staff can face disciplinary action, loss of professional accreditation and prosecution when they knowingly or recklessly access personal data without authorisation.
The lesson applies far beyond healthcare. It affects councils, police forces, law firms, managed service providers, manufacturers, sales teams, software developers and any business that holds personal, commercial or confidential information.
The key point is simple: being able to access data does not mean you have permission to use it for any purpose you choose.
Real-world examples
The cases below show the same pattern across healthcare, policing, commercial data, sales records and software code. In each case, access rights did not create a free right to browse, copy, retain or reuse the information.
|
Case and sector |
What happened |
Outcome and lesson |
|
Cambridge University Hospitals, Addenbrooke's Hospital NHS |
Around 40 staff faced investigation after they accessed the medical records of a three-year-old boy injured in a crocodile enclosure incident. The trust referred itself to the ICO and checked whether each staff member had a valid reason to view the record. |
The investigation remained ongoing when reported. The trust said improper access could lead to disciplinary action, including dismissal. The case shows how a high-profile incident can create a curiosity-access risk. |
|
Nottingham University Hospitals NHS Trust NHS |
Staff accessed medical records linked to victims of the 2023 Nottingham attacks without a proper work reason. |
The trust dismissed 11 staff and took action against a further 14, including written warnings. The case shows that "just looking" can end employment and trigger professional consequences. |
|
University Hospitals of Liverpool Group, Southport attack victims NHS |
An audit reportedly found that 48 staff accessed the records of Southport attack victims without good reason. |
Reports said sanctions ranged from counselling to final written warnings, with no reported dismissals. The case shows why organisations need consistent disciplinary rules for inappropriate access. |
|
Christopher O'Brien, South Warwickshire NHS Foundation Trust NHS |
O'Brien accessed the medical records of 14 patients who knew him personally, without a valid business reason. |
He pleaded guilty to unlawfully obtaining personal data under section 170 of the Data Protection Act 2018. The court ordered him to pay compensation totalling 3,000 pounds. The case shows that personal curiosity can become a criminal matter. |
|
Loretta Alborghetti, Worcestershire Acute Hospitals NHS Trust NHS |
Alborghetti accessed records of 156 patients, including family members and people local to where she lived. Reports said she viewed records more than 1,800 times over three months. |
Worcester Magistrates' Court ordered her to pay 648 pounds after she breached section 170 of the Data Protection Act 2018. The case shows the value of audit logs and review triggers. |
|
The London Clinic, former healthcare professional Private healthcare |
The ICO investigated the unlawful obtaining and disclosure of highly sensitive medical information. The ICO said the conduct involved deliberate misuse and an offer to disclose information for financial gain. |
The ICO issued a formal caution under section 170(5) of the Data Protection Act 2018. The case shows why VIP, staff, executive and other sensitive records need enhanced monitoring. |
|
Mohammed Sardar, former Metropolitan Police officer Police |
Sardar intentionally accessed police records about people he knew without any legitimate policing purpose. |
He pleaded guilty to five Computer Misuse Act 1990 charges. He received a nine-month prison sentence, suspended for two years, plus 200 hours unpaid work. The Met dismissed him without notice and placed him on the barred list. |
|
Mohammed Ejaz, Independent Office for Police Conduct Police oversight |
Ejaz sent restricted sensitive case information, including 999 call recordings linked to a death-related incident, to his private Hotmail account. |
He pleaded guilty to unlawfully obtaining personal information. The court fined him 200 pounds and ordered him to pay 2,000 pounds costs. The case shows how personal email forwarding can become a serious data loss route. |
|
Debbie Okparavero and Maliha Islam, former RAC employees Private sector |
The former RAC call-centre employees unlawfully copied and sold more than 29,500 lines of personal information relating to road traffic accident cases. RAC detected the activity after installing security monitoring software. |
Both received six-month prison sentences, suspended for 18 months, and 150 hours unpaid work. In 2026, the ICO also secured confiscation orders under POCA. The case shows that commercial misuse can lead to criminal records, suspended sentences and financial recovery action. |
|
Alexander Dore, Leaseline Vehicle Management Sales and leasing |
Shortly before resigning, Dore retained more than 3,600 pieces of customer information from his employer's database and sold them to competitor companies while claiming the data belonged to him. |
He pleaded guilty to unlawfully obtaining and selling data under section 170 of the Data Protection Act 2018. The court fined him 1,200 pounds and ordered him to pay 300 pounds costs. The case shows that CRM records and customer histories usually belong to the employer. |
|
Mark Lloyd, Acorn Waste Management Commercial services |
Lloyd emailed details of 957 clients to his personal email address as he left for a rival company. The information included contact details, purchase history and commercially sensitive information. |
He pleaded guilty under section 55 of the Data Protection Act 1998. The court fined him 300 pounds and ordered him to pay a 30 pounds victim surcharge and 405.98 pounds costs. The case shows that taking client records to a new job can create a criminal offence. |
|
Trailfinders v Travel Counsellors Travel and customer data |
Former Trailfinders employees moved to a competitor and used confidential customer information. The Court of Appeal considered the recipient company's responsibility when it received information that appeared to come from a competitor's confidential systems. |
This was a civil case, not a criminal conviction. The Court of Appeal upheld liability for breach of confidence. The case warns new employers not to accept "my old client list" without checking who owns it. |
|
PQ Systems Europe Ltd v Aughton Software and source code |
A former employee argued that software he wrote belonged to him. The High Court found that the software formed part of his employment work and that later software copied substantial parts of the employer's code. |
This was a civil case involving copyright infringement and breach of contractual confidentiality. The case shows that writing code does not automatically mean you own it when you wrote it in the course of employment. |
The problem is not always access. The problem is purpose.
Many organisations focus heavily on whether someone can access a system. That matters, but it does not answer the full question.
A receptionist may need access to patient records for appointments. A salesperson may need access to CRM data for current customers. A police officer may need access to police systems for active policing duties. A developer may need access to source code repositories to maintain a product.
None of that gives the person permission to browse records out of curiosity, check up on people they know, copy customer data before leaving, send restricted information to a personal email account or reuse an employer's code in a new business.
This distinction matters because a lot of insider data misuse does not look like a technical breach at first. The login succeeds. The MFA prompt passes. The system records a normal session. The person may even sit at their normal desk, during normal working hours, using a device supplied by the organisation.
The breach only becomes clear when someone asks: why did they access that data?
What UK law and guidance say
Section 170 of the Data Protection Act 2018 creates an offence involving the deliberate or reckless obtaining, disclosure, procuring or retention of personal data without the consent of the controller. The Crown Prosecution Service summarises this offence in its guidance on data protection and computer misuse matters.
The Computer Misuse Act 1990 can also apply where someone knowingly accesses computer material without authorisation. Employers therefore need clear rules that define what authorised access means, because staff may have system access for one purpose but not another.
For personal data breaches, the ICO expects organisations to have breach detection, investigation and internal reporting procedures. Organisations must notify the ICO within 72 hours where a breach meets the reporting threshold, and they must inform affected individuals without undue delay where the breach creates a high risk to their rights and freedoms.
For insider data theft, the National Cyber Security Centre recommends measures that help organisations prevent, monitor and audit data exfiltration by malicious insiders. The NCSC also notes that insider risk does not only involve employees. It can involve contractors, partners and suppliers with legitimate access.
Why this matters to ordinary businesses
It would be easy to treat these cases as an NHS or public sector issue. That would be a mistake.
Every organisation has data that staff can access but should not misuse. Customer records, sales pipelines, HR files, supplier bank details, source code, legal files, case notes and internal pricing data can all create risk when staff use them for the wrong reason.
The same pattern appears again and again. The employee says they had access. The organisation says they had no business reason to use it that way.
Practical controls that reduce the risk
· Write the rule clearly. Policies should state that staff may only access data when their role requires it for a legitimate work purpose. Avoid vague wording such as "staff must not misuse data". Use plain examples: do not look up friends, family, colleagues, celebrities, local incidents, former customers or records linked to news stories unless your role requires it.
· Limit access where you can. Role-based access will not solve every issue, but it reduces unnecessary exposure. Staff should not keep access because they once needed it for an old project.
· Monitor sensitive activity. Review access to VIP records, child records, employee records, high-profile incidents, bulk exports, unusual CRM downloads, personal email forwarding and source code cloning. Monitoring should not sit unused until after a complaint.
· Treat leavers as a data risk. Before staff leave, check for unusual downloads, exports, repository clones, mass printing, USB transfers, email forwarding rules and messages sent to personal accounts. Sales teams, developers, finance staff and senior managers deserve particular attention because they often hold high-value information.
· Train managers as well as staff. Many insider cases start with a manager saying, "They worked on that account, so it is probably fine." Managers need to understand the difference between past involvement and current business need.
· Make consequences clear and consistent. If one person receives dismissal and another receives informal counselling for similar conduct, the policy loses credibility. Staff need to know that inappropriate access can lead to dismissal, professional referral, criminal prosecution or civil action.
· Investigate quickly. The ICO expects organisations to recognise, investigate and document breaches. Where a breach creates a risk to individuals, organisations may need to notify the ICO. Where the breach creates a high risk to individuals, organisations may also need to tell the affected people directly.
A simple test for staff
A useful test for staff awareness training is: could I explain this access to the person whose data I opened, my manager, the ICO and a court?
If the answer is no, do not open the record.
A second test helps with customer lists, sales records and code: did I create this for myself, or did I create it as part of my job?
If the work, customer relationship, source code, spreadsheet, script or database came from employment, the employee should assume that the employer owns it unless a written agreement says otherwise.
Conclusion
Insider data misuse often starts with legitimate access. That makes it uncomfortable for organisations because it raises questions about culture, supervision, monitoring and accountability.
The recent NHS cases show the human impact when staff look at sensitive records out of curiosity. The RAC, Leaseline, Acorn, Trailfinders and PQ Systems cases show the commercial impact when staff copy data or code for personal gain, a competitor or a new employer.
Organisations should not frame this as a niche cyber issue. It is a governance issue, an HR issue, a legal issue and a trust issue.
The message to staff should be direct: your login lets you do your job. It does not give you permission to look at anything you like, copy anything useful or take anything with you when you leave.