The Information Commissioner’s Office has the right to force NHS authorities to be audited for compliance with the Data Protection Act.
Enforced as of yesterday (1st February), the ICO welcomed the legal change that will give the office the ability to subject public healthcare organisations to a compulsory audit which previously only applied to central Government departments.
In August 2014, the ICO issued a £180,000 fine on the Ministry of Justice following the loss of an unencrypted back-up hard drive at HMP Erlestoke prison in Wiltshire in May 2013, which, contained sensitive and confidential information about 2,935 prisoners.
According to the ICO, the audits review how the NHS handles patients’ personal information and can review areas including security of data, records management, staff training and data sharing.
Information Commissioner Christopher Graham, said: “The Health Service holds some of the most sensitive personal information available, but instead of leading the way in how it looks after that information, the NHS is one of the worst performers. This is a major cause for concern.
“Time and time again we see data breaches caused by poor procedures and insufficient training. It simply isn’t good enough. We fine these organisations when they get it wrong, but this new power to force our way into the worst performing parts of the health sector will give us a chance to act before a breach happens. It’s a reassuring step for patients.”
The ICO has issued fines totalling £1.3m to NHS organisations since the power to issue a monetary penalty was introduced in 2010. An ICO spokesperson told IT Security Guru that an audit is not an investigation, and instead it undertakes audits on a risk-based approach.
“We would undertake a compulsory audit where a risk assessment (which would take account of concerns raised by the public) indicates there may be a problem,” they said.
“We have committed to a participative approach so we would always ask an organisation for consent to an audit before we undertook a compulsory one. We will continue to work with NHS organisations who volunteer for audits.”
The ICO will be able to assess data protection by England’s NHS foundation trusts, GP sur
geries, NHS Trusts and Community Healthcare Councils, and their equivalent bodies in Scotland, Wales and Northern Ireland under section 41A of the Data Protection Act. The new legislation will not apply to any private companies providing services within public healthcare.
Jon Baines, chair of the National Association of Data Protection Officers (NADPO), said in a blog that the reason for this policy change is clearly to encourage audited data controllers to be open and transparent with the ICO, and not be punished for such openness. He said: “GP practices will not receive an MPN for any contraventions of the DPA discovered during or as a result of a section 41A audit.”