July 1, 2026

Industry Voice: Why data protection, patient privacy and access analytics need greater priority on the healthcare IT agenda

About the author
Headshot of Raz Edwards with Branded background

Inappropriate access of patient records is a worrying trend, and one which is on the rise. There is increased media attention in high profile cases, and this certainly reflects the situation faced by data protection professionals within healthcare. We need to ask ourselves, why is this happening, and why is it happening now?

The fast adoption of digital technology means that people now have access to multiple systems that provide richer sources of data to support care decisions. This digital transformation has been hugely beneficial for patients, but it does mean that there is an even higher degree of trust in people working with that data to act appropriately. While we have procedural elements such as contracts and codes of confidentiality, these are perhaps relied on too heavily by the NHS as a safeguard. Most of the time the process works well...until something goes wrong.

Given the nature of access required in the NHS, it can be challenging to define roles for nurses, resident doctors, care assistants, and other care professionals working on the frontline who move around the organisation to deliver care to meet patients’ needs. The level of access they require is fluid, so restricting that access could potentially have a negative impact on patient care when important information is not accessible at a critical moment.

How do you analyse huge amounts of data when something goes wrong?

All healthcare systems have auditing capabilities, so when something goes wrong you can review audit trails to see who has accessed what (assuming, of course, that generic accounts are not used). The issue is not a lack of data; it’s the ability to review that data in a meaningful way that identifies unexpected patterns and behaviours. This requires some clever analytics software, possibly supplemented by AI.

A key challenge is that the volume of daily access to patient records is so substantial that distinguishing between expected and potentially inappropriate access can be highly complex. Firstly, effective tools are needed to help surface unusual activity and provide context around what that behaviour may mean. While some scenarios, such as access involving the same surname or postcode, are relatively straightforward to flag, more nuanced or indirect relationships require more sophisticated analysis and careful calibration of rules and parameters.

So, although the digitisation and linking of healthcare and clinical systems have been hugely beneficial to patients, and staff, it has compounded the issue of policing access. As we’ve moved with incredible speed from paper to digital (thanks to the COVID pandemic), organisations have also had to evolve the controls and governance frameworks that support appropriate access. This is why data protection, patient privacy and access analytics are becoming increasingly important priorities across healthcare, helping ensure that innovation and trust continue to develop hand in hand.

What is the best way of dealing with data protection and patient privacy on a national level?

As Chair of the National Strategic Information Governance Network (SIGN), this is an ongoing topic of conversation and debate. The regional SIGN networks have around 2,500 members across the country, who report anecdotally that these patterns of behaviour are increasing. Also of concern is the lack of consistency in how regulators deal with individuals from a disciplinary point of view.

With the support of Imprivata, who I have been working with for a number of years, we are looking to bring together the various industry bodies and stakeholders to discuss how we can effect a much-needed change in culture to one where data and patient privacy is protected and treated with the respect it deserves.

The biggest challenge for frontline organisations is securing investment in analytical tools and ensuring they are given sufficient priority alongside the demands of delivering clinical care. In an environment of constrained resources, investments in data compliance and security must compete with other pressing healthcare priorities, such as funding a new CT scanner.

Where these tools have been deployed, they act as fantastic deterrents. When people know that access is being monitored, the culture changes rapidly to one of respecting privacy and patient records.

Looking forward, there are some really good things happening. All of the national bodies, NHSE, National Data Guardians Office, the NHS IG Policy Teams, the SIGNS networks, are aligned on the importance and commitment to this matter. Ideally, we would also like to open up dialogue with the General Medical Council and the Nursing and Midwifery Council as they play a key role in regulating their professional members. For example, what are the guidelines if a code of conduct is breached?

My own pragmatic view is that guidance is great at raising awareness, and the more awareness we can raise, the better. However, awareness simply shines a light on the problem, it won’t enable or give frontline practitioners the tools they need to address the problem. And that is the key.

So how do we attempt to fix this? Major challenges include the resources available, and the seriousness that is attributed to this problem within each organisation. Some forward-thinking organisations are implementing intelligent access analytics tools like those supplied by Imprivata, recognising the value these bring in strengthening patient privacy and building trust. While this does require investment, it is encouraging to see growing recognition across healthcare of the importance of protecting patient data and its essential role in delivering high-quality care.

You are currently browsing

Product availability varies by region. Would you like to choose a different region?

No thank you, I'd like to continue