Question to the Department of Health and Social Care:

To ask His Majesty's Government how many incidents of patient records or personal data being accessed without due cause have been recorded in the most recent year for which figures are available.

Health and care organisations are required to submit data breach reports within 72 hours of an incident. Data breach incidents are reported to the Information Commissioners Office (ICO), who then investigate and decide what action to take. Notifiable breaches are those that are likely to result in a high risk to the rights and freedoms of the individual, referred to as the data subject. NHS England publishes the number of incidents reported through the Data Security and Protection Toolkit on its website. In 2023, 996 incidents were reported to the ICO, but not all of these would have involved patient details being accessed without due cause. The ICO publishes details on its website of incidents where it takes enforcement action.