ICO's data protection audit powers extended to cover NHS bodies

Out-Law News | 02 Feb 2015 | 2:39 pm | 2 min. read

NHS bodies in the UK can now be forced to open themselves up to data protection audits under new powers handed to the Information Commissioner's Office (ICO).

The watchdog told Out-Law.com that its audits regime follows a "participative approach" and that therefore it would first ask health bodies if they would voluntarily commit to a review of their data protection policies and practices. However, the new compulsory audit powers can be used to force the bodies to participate if the ICO identifies a need to carry out such a review.

Christopher Graham, the UK's information commissioner, said: "The Health Service holds some of the most sensitive personal information available, but instead of leading the way in how it looks after that information, the NHS is one of the worst performers. This is a major cause for concern."

"Time and time again we see data breaches caused by poor procedures and insufficient training. It simply isn’t good enough. We fine these organisations when they get it wrong, but this new power to force our way into the worst performing parts of the health sector will give us a chance to act before a breach happens. It’s a reassuring step for patients," Graham said.

The ICO had long campaigned for the compulsory audit powers they have under the Data Protection Act to be extended to the public health sector. Previously, the ICO could only compel central government departments to participate in a data protection audit and needed the consent of other organisations to investigate their procedures.

The Ministry of Justice (MoJ) consulted on plans to extend the ICO's compulsory audit powers to health bodies in March 2013. At the time it said it was convinced of the need to extend the powers after the ICO had provided evidence that showed that there are "significant compliance problems" within the NHS. The MoJ said that with the health sector facing changing practices through "modernisation", it was important to provide the ICO with the power to conduct compulsory data protection audits of the organisations to mitigate identified risks.

The MoJ's report said that the ICO's power to levy monetary penalties for data breaches is "an effective and important mechanism for ensuring data controllers take compliance seriously and take steps to prevent issues recurring". However, it added that it would also "clearly be ideal for risk areas to be identified and practices to be improved across an organisation long before such serious incidents occur".

Only now, though, has the ICO been handed the new powers.

"The ICO will be able to assess data protection by England’s NHS foundation trusts, GP surgeries, NHS Trusts and Community Healthcare Councils, and their equivalent bodies in Scotland, Wales and Northern Ireland under section 41A of the Data Protection Act," the ICO said in a statement. "The new legislation will not apply to any private companies providing services within public healthcare."

NHS organisations have been fined a total of £1.3 million by the ICO over serious Data Protection Act compliance failings, including the largest single fine the ICO has ever issued of £325,000 against Brighton and Sussex University Hospitals NHS Foundation Trust (BSUH).