DPA

London Clinic ICO caution: what staff medical-record misuse teaches employers

Scott Dooley
7 min read · Jun 18, 2026

The ICO has issued a formal caution to a former healthcare professional after concluding a criminal investigation linked to medical information reported by the London Clinic in March 2024. For employers, the point is direct: insider misuse of personal data can become a criminal data protection matter even when the organisation itself is not fined.

The ICO statement, published on 17 June 2026, says the investigation concerned the unlawful obtaining and disclosure of medical information to a third party without the data controller’s consent. The regulator issued the caution in relation to an offence under section 170(5) of the Data Protection Act 2018.

The ICO said the conduct involved the deliberate misuse of highly sensitive personal information and an offer to disclose it for financial gain. It also said, based on the available evidence, it did not identify wider organisational failings that met the threshold for regulatory enforcement.

Why this matters beyond healthcare

Medical records sit at the sharp end of confidentiality because health information is special category data. The same access-abuse risk appears in HR systems, payroll tools, CRM records, customer support platforms and case-management databases. The person who can see the data can misuse it. A policy alone does not stop that.

Section 170 of the Data Protection Act 2018 makes it an offence, in broad terms, to knowingly or recklessly obtain or disclose personal data without the controller’s consent, procure disclosure to another person, retain personal data after obtaining it unlawfully, sell it, or offer to sell it. The London Clinic case sits in that last category because the ICO described an offer to disclose sensitive information for financial gain.

This is close to the pattern in other ICO action on employee access abuse. In June 2026, the ICO secured confiscation orders against two former RAC employees after customer data was copied and sold. Our earlier write-up on RAC access abuse covers the profit motive in more detail. The practical lesson is the same: access controls need to assume that trusted users can become the threat.

The control that fails first is usually purpose

Most organisations know who has a login. Fewer can prove, quickly, why a named person looked at a named record at a named time.

That purpose question matters. In healthcare it is obvious: a staff member should access a patient record because they are involved in care, administration, billing, referral handling or another legitimate task. In an ordinary business it is the same test in different clothes. Payroll staff need payroll records. The sales team need current customer records. A line manager may need absence information for their team. None of that gives open permission to browse.

Role-based access is the starting point, not the finish. Employers should be able to show:

  • which roles can access each sensitive system;
  • which fields are hidden unless the role needs them;
  • who approved access and when it expires;
  • whether access was reviewed after a role change, suspension or exit;
  • how unusual access is flagged, investigated and recorded.

Those controls apply outside large hospitals. A 40-person employer with one HR system and one CRM still needs a clean answer when someone opens a record they had no business need to see.

Audit logs need named owners

Audit logging is often treated as an IT feature. It should be owned as a compliance control, linked to the organisation’s duties under the ICO’s data security guidance.

A useful log shows user, record, timestamp, action, device or location where available, and whether data was exported, printed or shared. More importantly, someone checks it. For sensitive systems, that means alerts for unusual behaviour: repeated lookups of high-profile records, access outside normal hours, access by staff outside the case team, bulk downloads, failed export attempts and post-resignation activity.

The review rhythm should be written down. Daily alerts for the highest-risk systems. Monthly sampling for wider records. Immediate checks after complaints, rumours, staff conflict, media contact, disciplinary concerns or role changes. Without that owner, the log becomes a museum. It proves what happened only after damage is done.

Breach handling still belongs to the organisation

The ICO did not identify wider organisational failings meeting the enforcement threshold in this matter. Employers should not read that as comfort that staff misuse is merely an individual problem.

ICO guidance on breach reporting says organisations must assess the likely risk to people’s rights and freedoms, notify the ICO as soon as possible and, where feasible, within 72 hours if that risk is likely. If the risk is high, affected people must also be notified without undue delay.

That means a manager who suspects staff misuse should not wait for a full disciplinary outcome before escalating. The first 24 hours should answer five questions: what data was accessed, who accessed it, whether it was disclosed, who is affected, and whether there is ongoing risk. If the answer is incomplete, record that and update it. The ICO guidance explicitly recognises that complex breaches may need further information later.

For healthcare and care-sector employers, the threshold is often met faster because medical information is special category data and the privacy harm can be serious. The ICO’s March 2024 London Clinic statement said misuse of personal data must be reported if there is a risk to people’s rights and freedoms, which is often the case with sensitive medical information.

Confidentiality training must be specific

Annual data protection training fails when it tells staff to keep data safe but never tests the exact moments where curiosity, pressure or money enter the picture.

Better training uses job-specific scenarios. A receptionist recognises a local celebrity. A manager sees a grievance file involving a colleague. A sales employee is asked by a friend to look up a customer address. A support agent is offered cash for an email list. Staff need to say what they would do, who they would tell, and what happens if they proceed.

The training record should show more than completion. Keep the scenario set, pass mark, date, audience, follow-up actions and late-completion chase. If an incident later happens, this evidence helps show whether the organisation trained, warned and monitored staff in a serious way.

Our article on NHS disciplinary disparity looks at why inconsistent staff sanctions weaken that message. The same point applies outside the NHS. A confidentiality rule that is rarely enforced becomes guidance, not control.

What employers should do this week

  1. Pick one sensitive system and review who can access it today.
  2. Remove access for leavers, movers and dormant users.
  3. Check whether audit logs show record-level access as well as login events.
  4. Name the person who reviews unusual access and writes the outcome down.
  5. Add one insider-misuse scenario to the next staff training session.
  6. Test the breach escalation route with HR, IT and the data protection lead.

For teams that handle employee, customer or patient data, GDPR training should connect the legal rule to daily decisions at the screen. Staff need to know that curiosity browsing, unauthorised disclosure and selling data are disciplinary risks and, in serious cases, criminal data protection risks.

FAQ

Was the London Clinic fined?

No. The ICO statement says a now former healthcare professional received a formal caution. It also says the ICO did not identify wider organisational failings that met the threshold for regulatory enforcement, based on the available evidence.

Can an employee commit a data protection offence?

Yes. Section 170 of the Data Protection Act 2018 creates offences for unlawful obtaining, disclosure, retention, selling and offering to sell personal data in the circumstances set out in the Act.

Does staff misuse always have to be reported to the ICO?

No. The organisation must assess the likely risk to people’s rights and freedoms. If that risk is likely, ICO guidance says the organisation must notify the ICO as soon as possible and, where feasible, within 72 hours. Sensitive medical information often increases that risk.

Sources

Author

  • Scott Dooley is a seasoned entrepreneur and data protection expert with over 15 years of experience in the tech industry. As the founder of Measured Collective and Kahunam, Scott has dedicated his career to helping businesses navigate the complex landscape of data privacy and GDPR compliance.

    With a background in marketing and web development, Scott brings a unique perspective to data protection issues, understanding both the technical and business implications of privacy regulations. His expertise spans from cookie compliance to implementing privacy-by-design principles in software development.

    Scott is passionate about demystifying GDPR and making data protection accessible to businesses of all sizes. Through his blog, he shares practical insights, best practices, and the latest developments in data privacy law, helping readers stay informed and compliant in an ever-changing regulatory environment.

    View all posts

Popular posts on Measured Collective

  1. GDPR Training Requirements: Who needs to do GDPR training?
  2. What the ICO Says About Data Protection Refresher Training
  3. Australia Privacy Act 1988: 101 – What You Need to Know
  4. Do I need to train my team about data protection – what does the ICO say in 2025?
  5. ICO secures £355,880.10 confiscation order against Rizwan Manjra — why insider misuse controls still matter

Start learning today

Essentials GDPR Course

UK GDPR awareness training for your team

GDPR Refresher

Keep your GDPR knowledge sharp

PECR for Marketers

ePrivacy compliance for marketing teams

Free GDPR Basics

100% free introduction to GDPR