04.02.15
NHS bodies now face compulsory data protection audits
NHS organisations can be forced to open themselves up to data protection audits under new powers handed to the Information Commissioner’s Office (ICO).
The new powers, which went into effect on 1 February, allow the ICO to force NHS authorities to be audited for compliance with the Data Protection Act. Previously these audits had only applied to central government departments.
The audits review how the NHS handles patients' personal information, and can review areas including security of data, records management, staff training and data sharing.
The ICO will be able to assess data protection by England’s NHS foundation trusts, GP surgeries, NHS Trusts and Community Healthcare Councils, and their equivalent bodies in Scotland, Wales and Northern Ireland under section 41A of the Data Protection Act. The new legislation will not apply to any private companies providing services within public healthcare.
Christopher Graham, the Information Commissioner, said: “The health service holds some of the most sensitive personal information available, but instead of leading the way in how it looks after that information, the NHS is one of the worst performers. This is a major cause for concern.
“Time and time again we see data breaches caused by poor procedures and insufficient training. It simply isn’t good enough.
“We fine these organisations when they get it wrong, but this new power to force our way into the worst performing parts of the health sector will give us a chance to act before a breach happens. It’s a reassuring step for patients.”
In the past the ICO has issued fines totalling £1.3m to NHS organisations.
The ICO could not comment on the specific focuses it may undertake with its new powers, or where the onus may now lie for patient data management among healthcare bodies, but said it will carry out audits using a "risk-based approach".
While it now has the power to compel an audit the ICO said it will first ask organisations for consent. A spokesman said their audits were intended to flag up problems with data protection before a breach occurred and their findings could not trigger a fine.
The new powers for the ICO come at a time where data management is a key issue for the health service. The need for data sharing initiatives, such as NHS England's delayed care.data initiatives, are often touted as a means to drive more efficient, integrated healthcare.
Tell us what you think – have your say below or email [email protected]