When the story broke about 48 members of staff at Stockport NHS Foundation Trust accessing the medical records of Southport stabbings victims without any legitimate reason, a lot of people were shocked. I wasn’t.
Not because insider threat is inevitable — it isn’t — but because I’ve seen first-hand what passes for data protection training in NHS settings. And I’ve seen what happens when the humans delivering care aren’t given practical, meaningful guidance about what data protection actually looks like in their day-to-day work.
I want to share some of that experience with you. Not to embarrass anyone, but because I think it explains something important about why breaches like Stockport keep happening — and what actually needs to change.
Two days a month
A few years ago I worked as an outsourced Data Protection Officer for an organisation providing patient services to the NHS. They felt that two days a month was sufficient DPO resource for the complexity of what they were doing. It wasn’t. Not even close. I was relieved when the contract ended, and did not seek renewal.
But the resource problem wasn’t just about hours. It was about what happened in the space that proper oversight would have filled.
The Spine incidents
The NHS Spine is the national system that holds core patient demographic information — name, date of birth, NHS number, address, GP registration. It is, by design, authoritative. When a clinician turns up to see a patient and the details don’t match, the correct response is to question whether they have the right patient in front of them.
That is not what happened in two cases I dealt with directly.
In the first, a clinician arrived to see a patient in her nineties. The details didn’t match. Rather than question whether they were at the right address or had the correct record open, they changed the date of birth on the Spine. A woman in her nineties, and someone genuinely thought the NHS had her date of birth wrong.
In the second, a clinician arrived to see one of a pair of twins. Again, the details didn’t match — specifically, the sex recorded didn’t correspond to the patient in front of them. Again, rather than question whether they had the wrong record open, they changed it. The Spine, they apparently concluded, had recorded the wrong sex for this person their entire life.
These are not data protection failures in the abstract. These are people making active changes to a national clinical record because they couldn’t conceive that they might be looking at the wrong patient.
“It was a negative result”
The third example has stayed with me. A member of staff had two patient records open simultaneously on their screen and entered a test result into the wrong one. When this came to light, they refused to go into the record to correct it.
Their reasoning? Doing so would be a breach of data protection. And anyway — it didn’t matter, because the result was negative.
I’ll let that sink in for a moment.
The record was incorrect. A patient’s clinical history now contained information that wasn’t theirs. And the person responsible thought the solution was to leave it there because the result happened to be negative this time.
The training problem
All of these people had completed their mandatory data protection training. All of them.
That training came from a centralised NHS-approved portal. I reviewed it carefully. What I found was page after page of extracted text from the GDPR — dense, legal, presented as something to be read and clicked through rather than understood and applied.
There was very little about what data protection actually means when you’re a clinician with a patient record on your screen. No practical scenarios. No “what would you do if…?” No connection between the regulation and the reality of the job.
It was training designed to generate a completion certificate, not to change behaviour.
This is the direct reason I developed RiskReady’s Introduction to Data Protection course. I wanted to create something that treats learners as intelligent adults, uses real scenarios, and actually explains why the rules exist — not just what they say.
I also knew that business owners and managers needed something different again — not a legal textbook, but a clear explanation of their responsibilities and what good practice looks like in an organisation they’re responsible for. That’s what the Data Protection for SME Owners & Directors course is designed to do.
Back to Stockport
As I wrote over on the Cambridge Risk Solutions blog, the Stockport breach tells us a great deal about insider threat — about culture, about access controls, about what happens when people know they can do something and choose to do it anyway.
But it also tells us something about training. Forty-eight people. All of whom will have completed mandatory data protection training at some point. All of whom chose to access records they had no business looking at.
Training alone doesn’t stop determined people from doing the wrong thing. But bad training doesn’t even stop people from doing the wrong thing accidentally — because they’ve never properly understood what the right thing looks like in the first place.
That’s the gap worth closing.
