Re: It's a start
The thing about the NHS databases that I worked on for ten years is you could tell who accessed the data and when. Quite the opposite of trusting random employees, every database query is logged. The triple AAA of authentication, authorization, and accounting are applied to confirm if someone is up to no good and prosecute every single wrongdoers. Of course we could throw all that investment away and go back to receptionists in GP surgeries send pages and pages of medical records in clear text to un-manned fax machines in unsecure locations but that really would be trusting unknown random employees.