Another link to ongoing stories coming from the UCLA Medical Center where employees improperly accessed confidential medical information of celebrities and even co-workers. I consider this situation an important illustration that policy does not ultimately work. The article mentions 68 persons snooped on 61 personal records. That means this is not an isolated incident. The article also mentions the sharing of passwords. Whoa.
Human curiosity or even greed (if any info was sold) was beating policy. I believe such impulse will always beat policy, in fact. These are crimes of opportunity, and technology/process should be limiting that opportunity. Yes, that might impact the ability for people to get some things done, but there is always that balance between getting things done any way you can and getting things done in a secure, trustworthy manner that limits unlawful opportunity.
However, in the end, someone has to have access to the information. Usually, someones so they can make decisions or even perform clerical work. This is where audits, logs, policy, managerial oversight, and hiring practices come into play. Does someone need to be watching the audit logs and report possible violations? Maybe, maybe not, but that could certainly be a measure for an organization that really needs to provide a high sense (or real state) of security.