28.09.18
NHS could face hefty fines over GDPR as ICO takes formal action
The NHS could be hit with fines from the Information Commissioner’s Office (ICO) as the authority begins formal enforcement actions against a number of organisations that have failed to pay the new data protection fee.
The ICO so far has sent out warning letters to 34 organisations which have failed to pay data protection fees – something that every organisation that processes personal data has to pay to the ICO under the new General Data Protection Regulation (GDPR).
Failure to pay the fees is a civil offence under GDPR (this was previously a criminal offence under the Data Protection Act 1998).
The 34 notices were sent earlier this month and more are currently being drafted. Organisations have 21 days to respond to the notices – while those that ignore it may incur hefty fines.
The fee for large organisations such as the NHS is £2,900. However, this is lower than the fines faced by organisations for not responding to the ICO’s warning.
Paul Arnold, deputy chief executive at the ICO, said: “We expect the notices we have issued to serve as a final demand to organisations and that they will pay before we proceed to a fine. But we will not hesitate to use our powers if necessary.
“All organisations that are required to pay the data protection fee must prioritise payment or risk getting a formal letter from us outlining enforcement action.”
Last month, it was revealed that almost 10,000 vital patient documents were either lost or stolen from 68 hospitals last year. The month before, just one month after the roll-out of GDPR, it was revealed 150,000 patients had been affected by a data breach that saw their personal data used without their consent.
The fees paid to the ICO helps fund its work – such as investigations into data breaches and complaints – its advice line, and staff of 670 workers.
Enjoying NHE? Subscribe here to receive our weekly news updates or click here to receive a copy of the magazine!