NHS trusts handling personal data correctly but some flaws remain: ICO

March 25, 2014

Organisations providing secondary health care are largely handling personal information correctly, a report by the Information Commissioner’s Office has suggested.

Summarising the key findings from 19 audits principally of NHS trusts, the ICO said just one of the bodies was found to be at substantial risk of non-compliance with data protection laws. A further eight gave ‘limited assurance’, nine gave ‘reasonable assurance’ and one received the top rating of ‘high assurance’.

Surveys of staff at three of the audited bodies also found high awareness of data protection policies. The ICO found that 88% of staff had read and understood the policy in place within their organisation, and 94% had completed data protection training within the previous year.

The voluntary audits examined the organisation’s handling of personal data and how that fitted with NHS information governance guidelines.

The report, which can be viewed here, identified a number of areas for improvement, however. These included:

A lack in some cases of effective monitoring (through spot checks) of compliance with data protection procedures and policies;
A failure in some cases to use tracking software effectively and/or conduct audits for missing files. “The physical security of records also varied, with concern raised particularly around unlocked trollies used for moving files.”
A lack of simple password controls, notably forcing regular password changes.
Some organisations “had little in the way of fire or flood protection in place for paper records”.

The ICO also expressed renewed concern at the use of fax machines for sending personal information, “given the human error associated with using a fax machine”.

The watchdog said it welcomed the encouragement of clinical commissioning groups to use pseudonymised and anonymised data, as part of a drive to reduce the use of identifiable patient information.

But it added that this development had in the short term “caused significant problems for the reformed NHS”.

Claire Chadwick, ICO Team Manager in the Good Practice team, said: “Information about a person’s health tends to be one of the most sensitive types of personal data, and it is clear it must be properly handled. Our experiences in these audits suggested that tended to be the case.”

Prior to the audits, the Information Commissioner and the Chief Executive of the NHS Sir David Nicholson sent a letter to chief executives and finance directors within the NHS.

A number of NHS bodies have been on the receiving end of substantial fines from the watchdog following a data breach.

The ICO’s data protection guidance for the health sector can be viewed here.