Two NHS record-access scandals now sit side by side in the public record. On 21 May 2026, Nottingham University Hospitals NHS Trust said 11 employees had been dismissed after inappropriate access to records connected to the June 2023 Nottingham attacks. In Merseyside, reporting across April and May 2026 says nearly 50 staff at hospitals in the University Hospitals of Liverpool Group were disciplined after accessing records linked to the July 2024 Southport attack, but none were dismissed and only one received a final written warning.
The comparison matters because staff looked where they should not have looked, and two large NHS organisations appear to have reached very different disciplinary outcomes in cases involving high-profile victims and survivor data. For HR, compliance, and senior management, the practical question is not which trust looks worse in a headline. It is whether your rules, audit trail, and sanctions framework are clear enough to survive the same scrutiny.
What Nottingham has confirmed
NUH’s own statement is the firmest source in the set. The trust said 11 people had been dismissed, 12 had received final written warnings, two received first written warnings, and further investigations were ongoing. The trust also said no staff member came forward voluntarily. Those investigations followed inappropriate access to records relating to the Nottingham attacks, in which the Nottingham Inquiry later said the records of Valdo Calocane’s victims and survivors had been viewed without a legitimate reason.
A second point is easy to miss. In the inquiry hearing on 26 May 2026, NUH medical director Dr Dave Briggs accepted that the trust’s first review focused on the three people killed and did not initially consider the two surviving victims. That meant some inappropriate access was not picked up in the first round. The inquiry transcript also records Briggs saying the trust later widened the work and re-opened the investigation.
That detail matters operationally. If an organisation frames a breach investigation too narrowly at the start, it can understate the scale of the misconduct and delay action for the people affected. That is not an abstract governance point. It changes who gets notified, what gets investigated, and whether the board receives the full picture in time.
What Liverpool has confirmed, and what it has not
The Liverpool side is less clean because the primary material is thinner. The public numbers come through reporting by the BBC, ITV News, and HSJ, each citing trust statements or briefings. Across those reports, the consistent picture is that about 48 to 50 staff members accessed records connected to Southport attack survivors and family members without a legitimate reason. One member of staff received a final written warning. The rest received lesser sanctions. No dismissals have been reported.
The most important qualification is that the trust has not, in publicly accessible material I could verify, published a full breakdown equivalent to Nottingham’s 21 May 2026 statement. That does not make the reporting wrong. It does mean readers should treat the Liverpool figures as trust-quoted numbers reported by reputable outlets, rather than a full disciplinary table published by the trust itself.
What the ICO appears to be doing
There is no published ICO enforcement action against either trust on the evidence I could verify as of 31 May 2026.
For Liverpool, the clearest current signal is the ICO’s 22 April 2026 Southport follow-up note. It says the regulator remains in contact with local organisations, is monitoring actions taken after its recommendations, and notes an audit of University Hospitals of Liverpool Group with findings to be shared privately with the trust. Separately, the BBC and ITV both reported an ICO statement that it was not launching its own investigation at that stage and had not received referrals about staff suspected of offences relating to unlawfully obtaining personal data. That is a long way from a public penalty notice.
For Nottingham, the most direct current source is again the inquiry hearing. Counsel to the inquiry said the ICO had received reports relating to six patients and had indicated it expected the employer to investigate first. The same exchange records a second useful legal point: the Data Protection Act does not apply to the records of deceased people, but it can still apply to surviving victims and to information about relatives that appears in the file. That distinction is easy to miss and worth building into staff training.
Why the outcomes may be different
We do not yet have enough public evidence to say why one trust dismissed 11 staff and the other dismissed none. There are, however, four plausible operational differences that usually shape outcomes: what each audit log actually showed, whether staff had previous warnings, whether the access was repeated or shared onwards, and how each trust’s disciplinary policy classifies snooping into high-profile records. Without the underlying investigation reports, anything stronger would be guesswork.
That uncertainty should not comfort managers. It should push them to check whether their own standards are documented well enough that an external reader could understand why one case became gross misconduct and another did not. Measured sanctions only work when the organisation can explain them. If it cannot, deterrence weakens and trust in the process goes with it.
This is also where insider misuse control matters more than most organisations admit. Our recent write-up on the Advanced Computer Software Group NHS breach focused on cyber security failures, but these two NHS cases sit at the other end of the same risk chain: legitimate credentials, sensitive records, and weak practical barriers to misuse. For the individual accountability angle, our explainer on GDPR fines for individuals covers where personal liability does and does not arise.
What managers should do now
- Review access controls for high-profile patient records and other sensitive files. Break-glass access should be logged and justified every time.
- Test whether audit reviews cover every affected person, including survivors, relatives, witnesses, and other people mentioned in the file.
- Make the disciplinary framework explicit. Staff should know what turns curiosity, gossip, or repeat access into gross misconduct.
- Train line managers on the legal nuance. The issue includes confidentiality, fair processing, access governance, and evidence quality if the case later reaches a regulator or inquiry.
- Run scenario-based refresher training after any incident. Policy updates on their own do not change behaviour.
If your team needs a baseline before it tries to solve edge cases like this, the GDPR Essentials course is the clean starting point for GDPR, PECR, and wider compliance training.
Sources
- Nottingham University Hospitals NHS Trust: first outcomes of inappropriate access investigations
- Nottingham Inquiry response to NUH staff data access
- Nottingham Inquiry hearing transcript, 26 May 2026
- ICO: continues to work with organisations impacted by the Southport incident
- BBC News: trust disciplines almost 50 staff over Southport records
- ITV News: Southport survivor devastated after staff accessed records without reason
- HSJ: final warning for one of 48 staff who accessed Southport victim record
- Data Protection Act 2018
- UK GDPR Article 5
- UK GDPR Article 32
