Blog

Cyber Security Guidance
In Plain English.

Practical advice on Cyber Essentials, Cyber Essentials Plus, IASME Cyber Assurance, cyber basics and common issues affecting smaller businesses. The aim is to make cyber topics easier to understand and more useful in practice.

Just Because You Can Access It Does Not Mean You Should

Just Because You Can Access It Does Not Mean You Should

Most data breaches do not start with a hacker in a hoodie. Many start with a normal member of staff using a normal account to access a normal system.

That makes them harder to explain. The person may have a legitimate login. They may work in the right department. They may access the same system every day. The problem starts when they access information for the wrong reason.

This issue has returned to the headlines because of recent NHS incidents where staff looked at patient records without a clinical or operational need. The Information Commissioner's Office has warned healthcare organisations that curiosity is not an excuse and that staff can face disciplinary action, loss of professional accreditation and prosecution when they knowingly or recklessly access personal data without authorisation.

The lesson applies far beyond healthcare. It affects councils, police forces, law firms, managed service providers, manufacturers, sales teams, software developers and any business that holds personal, commercial or confidential information.

The key point is simple: being able to access data does not mean you have permission to use it for any purpose you choose.

Real-world examples

The cases below show the same pattern across healthcare, policing, commercial data, sales records and software code. In each case, access rights did not create a free right to browse, copy, retain or reuse the information.

Case and sector

What happened

Outcome and lesson

Cambridge University Hospitals, Addenbrooke's Hospital

NHS

Around 40 staff faced investigation after they accessed the medical records of a three-year-old boy injured in a crocodile enclosure incident. The trust referred itself to the ICO and checked whether each staff member had a valid reason to view the record.

The investigation remained ongoing when reported. The trust said improper access could lead to disciplinary action, including dismissal. The case shows how a high-profile incident can create a curiosity-access risk.

Nottingham University Hospitals NHS Trust

NHS

Staff accessed medical records linked to victims of the 2023 Nottingham attacks without a proper work reason.

The trust dismissed 11 staff and took action against a further 14, including written warnings. The case shows that "just looking" can end employment and trigger professional consequences.

University Hospitals of Liverpool Group, Southport attack victims

NHS

An audit reportedly found that 48 staff accessed the records of Southport attack victims without good reason.

Reports said sanctions ranged from counselling to final written warnings, with no reported dismissals. The case shows why organisations need consistent disciplinary rules for inappropriate access.

Christopher O'Brien, South Warwickshire NHS Foundation Trust

NHS

O'Brien accessed the medical records of 14 patients who knew him personally, without a valid business reason.

He pleaded guilty to unlawfully obtaining personal data under section 170 of the Data Protection Act 2018. The court ordered him to pay compensation totalling 3,000 pounds. The case shows that personal curiosity can become a criminal matter.

Loretta Alborghetti, Worcestershire Acute Hospitals NHS Trust

NHS

Alborghetti accessed records of 156 patients, including family members and people local to where she lived. Reports said she viewed records more than 1,800 times over three months.

Worcester Magistrates' Court ordered her to pay 648 pounds after she breached section 170 of the Data Protection Act 2018. The case shows the value of audit logs and review triggers.

The London Clinic, former healthcare professional

Private healthcare

The ICO investigated the unlawful obtaining and disclosure of highly sensitive medical information. The ICO said the conduct involved deliberate misuse and an offer to disclose information for financial gain.

The ICO issued a formal caution under section 170(5) of the Data Protection Act 2018. The case shows why VIP, staff, executive and other sensitive records need enhanced monitoring.

Mohammed Sardar, former Metropolitan Police officer

Police

Sardar intentionally accessed police records about people he knew without any legitimate policing purpose.

He pleaded guilty to five Computer Misuse Act 1990 charges. He received a nine-month prison sentence, suspended for two years, plus 200 hours unpaid work. The Met dismissed him without notice and placed him on the barred list.

Mohammed Ejaz, Independent Office for Police Conduct

Police oversight

Ejaz sent restricted sensitive case information, including 999 call recordings linked to a death-related incident, to his private Hotmail account.

He pleaded guilty to unlawfully obtaining personal information. The court fined him 200 pounds and ordered him to pay 2,000 pounds costs. The case shows how personal email forwarding can become a serious data loss route.

Debbie Okparavero and Maliha Islam, former RAC employees

Private sector

The former RAC call-centre employees unlawfully copied and sold more than 29,500 lines of personal information relating to road traffic accident cases. RAC detected the activity after installing security monitoring software.

Both received six-month prison sentences, suspended for 18 months, and 150 hours unpaid work. In 2026, the ICO also secured confiscation orders under POCA. The case shows that commercial misuse can lead to criminal records, suspended sentences and financial recovery action.

Alexander Dore, Leaseline Vehicle Management

Sales and leasing

Shortly before resigning, Dore retained more than 3,600 pieces of customer information from his employer's database and sold them to competitor companies while claiming the data belonged to him.

He pleaded guilty to unlawfully obtaining and selling data under section 170 of the Data Protection Act 2018. The court fined him 1,200 pounds and ordered him to pay 300 pounds costs. The case shows that CRM records and customer histories usually belong to the employer.

Mark Lloyd, Acorn Waste Management

Commercial services

Lloyd emailed details of 957 clients to his personal email address as he left for a rival company. The information included contact details, purchase history and commercially sensitive information.

He pleaded guilty under section 55 of the Data Protection Act 1998. The court fined him 300 pounds and ordered him to pay a 30 pounds victim surcharge and 405.98 pounds costs. The case shows that taking client records to a new job can create a criminal offence.

Trailfinders v Travel Counsellors

Travel and customer data

Former Trailfinders employees moved to a competitor and used confidential customer information. The Court of Appeal considered the recipient company's responsibility when it received information that appeared to come from a competitor's confidential systems.

This was a civil case, not a criminal conviction. The Court of Appeal upheld liability for breach of confidence. The case warns new employers not to accept "my old client list" without checking who owns it.

PQ Systems Europe Ltd v Aughton

Software and source code

A former employee argued that software he wrote belonged to him. The High Court found that the software formed part of his employment work and that later software copied substantial parts of the employer's code.

This was a civil case involving copyright infringement and breach of contractual confidentiality. The case shows that writing code does not automatically mean you own it when you wrote it in the course of employment.

The problem is not always access. The problem is purpose.

Many organisations focus heavily on whether someone can access a system. That matters, but it does not answer the full question.

A receptionist may need access to patient records for appointments. A salesperson may need access to CRM data for current customers. A police officer may need access to police systems for active policing duties. A developer may need access to source code repositories to maintain a product.

None of that gives the person permission to browse records out of curiosity, check up on people they know, copy customer data before leaving, send restricted information to a personal email account or reuse an employer's code in a new business.

This distinction matters because a lot of insider data misuse does not look like a technical breach at first. The login succeeds. The MFA prompt passes. The system records a normal session. The person may even sit at their normal desk, during normal working hours, using a device supplied by the organisation.

The breach only becomes clear when someone asks: why did they access that data?

What UK law and guidance say

Section 170 of the Data Protection Act 2018 creates an offence involving the deliberate or reckless obtaining, disclosure, procuring or retention of personal data without the consent of the controller. The Crown Prosecution Service summarises this offence in its guidance on data protection and computer misuse matters.

The Computer Misuse Act 1990 can also apply where someone knowingly accesses computer material without authorisation. Employers therefore need clear rules that define what authorised access means, because staff may have system access for one purpose but not another.

For personal data breaches, the ICO expects organisations to have breach detection, investigation and internal reporting procedures. Organisations must notify the ICO within 72 hours where a breach meets the reporting threshold, and they must inform affected individuals without undue delay where the breach creates a high risk to their rights and freedoms.

For insider data theft, the National Cyber Security Centre recommends measures that help organisations prevent, monitor and audit data exfiltration by malicious insiders. The NCSC also notes that insider risk does not only involve employees. It can involve contractors, partners and suppliers with legitimate access.

Why this matters to ordinary businesses

It would be easy to treat these cases as an NHS or public sector issue. That would be a mistake.

Every organisation has data that staff can access but should not misuse. Customer records, sales pipelines, HR files, supplier bank details, source code, legal files, case notes and internal pricing data can all create risk when staff use them for the wrong reason.

The same pattern appears again and again. The employee says they had access. The organisation says they had no business reason to use it that way.

Practical controls that reduce the risk

·        Write the rule clearly. Policies should state that staff may only access data when their role requires it for a legitimate work purpose. Avoid vague wording such as "staff must not misuse data". Use plain examples: do not look up friends, family, colleagues, celebrities, local incidents, former customers or records linked to news stories unless your role requires it.

·        Limit access where you can. Role-based access will not solve every issue, but it reduces unnecessary exposure. Staff should not keep access because they once needed it for an old project.

·        Monitor sensitive activity. Review access to VIP records, child records, employee records, high-profile incidents, bulk exports, unusual CRM downloads, personal email forwarding and source code cloning. Monitoring should not sit unused until after a complaint.

·        Treat leavers as a data risk. Before staff leave, check for unusual downloads, exports, repository clones, mass printing, USB transfers, email forwarding rules and messages sent to personal accounts. Sales teams, developers, finance staff and senior managers deserve particular attention because they often hold high-value information.

·        Train managers as well as staff. Many insider cases start with a manager saying, "They worked on that account, so it is probably fine." Managers need to understand the difference between past involvement and current business need.

·        Make consequences clear and consistent. If one person receives dismissal and another receives informal counselling for similar conduct, the policy loses credibility. Staff need to know that inappropriate access can lead to dismissal, professional referral, criminal prosecution or civil action.

·        Investigate quickly. The ICO expects organisations to recognise, investigate and document breaches. Where a breach creates a risk to individuals, organisations may need to notify the ICO. Where the breach creates a high risk to individuals, organisations may also need to tell the affected people directly.

A simple test for staff

A useful test for staff awareness training is: could I explain this access to the person whose data I opened, my manager, the ICO and a court?

If the answer is no, do not open the record.

A second test helps with customer lists, sales records and code: did I create this for myself, or did I create it as part of my job?

If the work, customer relationship, source code, spreadsheet, script or database came from employment, the employee should assume that the employer owns it unless a written agreement says otherwise.

Conclusion

Insider data misuse often starts with legitimate access. That makes it uncomfortable for organisations because it raises questions about culture, supervision, monitoring and accountability.

The recent NHS cases show the human impact when staff look at sensitive records out of curiosity. The RAC, Leaseline, Acorn, Trailfinders and PQ Systems cases show the commercial impact when staff copy data or code for personal gain, a competitor or a new employer.

Organisations should not frame this as a niche cyber issue. It is a governance issue, an HR issue, a legal issue and a trust issue.

The message to staff should be direct: your login lets you do your job. It does not give you permission to look at anything you like, copy anything useful or take anything with you when you leave.