Medical Records: Data Protection

(asked on 16th June 2026) - View Source

Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, what steps is he taking to strengthen protections against unauthorised access to patient data.


Answered by
Preet Kaur Gill Portrait
Preet Kaur Gill
Parliamentary Under-Secretary (Department of Health and Social Care)
This question was answered on 29th June 2026

All organisations that have access to National Health Service patient data and systems must use the Data Security and Protection Toolkit (DSPT) to provide assurance on an annual basis that they are practising good data security and that personal information is handled correctly. In September 2024 the National Cyber Security Centre’s Cyber Assessment Framework was implemented into the DSPT for large NHS organisations. This enables them to understand and manage their own cyber, and information governance, risks, while maintaining the high standards necessary to protect patients.

There are also a range of safeguards to prevent unauthorised access to patient data by people working in the NHS and social care.

There are various safeguards used in the NHS to prevent unauthorised access to patient records. These include role-based access control, where users are restricted in what they can access so that it is appropriate to their role, multi-factor authentication, and shielding records, where records can be hidden from normal view and only accessed by contacting an authoriser or via an alert triggered by attempted access and auditing.

Staff accessing systems are bound by employment contract and professional codes of conduct to ensure their access to data is necessary and appropriate. All organisations handling patient data should have training in place to ensure staff are aware of their responsibilities.

Reticulating Splines