ICO now able to apply compulsory audit powers in the healthcare sector

As from the start of this month the Information Commissioner’s Office’s (the ICO) powers to conduct compulsory audits of data protection compliance have been extended to include the UK National Health Service (NHS).

Under section 41A (Assessment Notices) of the Data Protection Act 1998 (the DPA), the ICO has the power to conduct compulsory data protection compliance audits of central government departments. Following the statutory instrument introducing the extension, NHS bodies are now covered, but private providers of healthcare within NHS bodies are not. The range of bodies that the extension covers is wide and in England includes NHS foundation trusts, GPs’ surgeries, and, NHS trusts and community healthcare councils. The equivalent organisations in Scotland, Wales and Northern Ireland are also covered.

An audit will focus on how the NHS handles the personal information of patients and may include in its scope data security, data-sharing, records management, and staff training – the ICO has been particularly critical of the “insufficient training” provided by the NHS. Although significant non-compliance found in an audit can lead to an enforcement notice being issued which requires corrective action, an audit does not necessarily mean enforcement will follow, and in fact under section 55A(3A) of the DPA the ICO’s power to issue a financial penalty notice for a serious data breach is expressly excluded for data protection breaches identified in an audit (whether compulsory or voluntary).

A key result of an audit is therefore likely to be preventative action – according to the ICO “Data breaches by the NHS are a major cause for concern – this [new power] will give us a chance to act before a breach happens”. In the long-term, with this in mind, it is anticipated that audits will come thick and fast, especially as the health service has in recent years been subject to several ICO investigations – the ICO Commissioner has called the NHS “one of the worst performers” and the ICO has imposed fines on the NHS totalling £1.3 million to date. In the immediate future, not only with NHS data management issues being at the forefront, especially concerning data-sharing and the “care.data” scheme (under which patient records and data would be uploaded by GPs to a central system from where they can be shared across the NHS), but also with the NHS very much in the general election spotlight healthcare professionals can expect even greater scrutiny.

You can find out more details of Cordery’s work in healthcare here and our data protection practice here. We have considerable experience of training healthcare providers in data protection issues – there are details of that here.

 

André Bywater is a commercial lawyer with Cordery in London where he focuses on regulatory compliance, processes and investigations.