Not strictly true - medical staff need a legitimate relationship with the patient to see their notes in the same way that admin staff do.
Additionally the folder structure for the notes is owned by the Secretary of State for Health but the contents remains in the "ownership" of the patient with the data controller being the Trust when allowing access.
The point at which this changes is when the patient dies but then the record is covered by FOI, the common law duty of confidence and the Access to Health Records (the latter does not apply to council records and common law takes priority).
There are exemptions to this and any medical record and its contents have to be authorised by clinician in case it causes harm.
However, with the Caldicott 2 requirement to allow online access to records by patients this is a boundary that will be pushed and this will be reflected on ongoing DPA changes.
Safeguarding as an activity has a different legal basis but the DPA still applies in terms of records management and ensuring that entries are dated, timed etc.
It is a criminal offence to inappropriately access records - see
https://ico.org.uk/action-weve-taken/en ... it-dhanju/ linked to the NHS but there are other examples linked to banking, telecoms etc.
IVA started March 2011, Completed March 2016 and certificate issued 11 days after final payment. It was not always easy but then some of the best decisions aren't.