Data protection, compulsory audit and the NHS

Data protection iStock 000011177922XSmall 146X219Mandatory ICO data protection audits are likely to be introduced for the NHS by the end of the year. Claire Bentley, Emma Godding and Jane Bennett look at the background and the key issues.

The Government believes that there is a compelling case for extending the Information Commissioner's powers of compulsory audit of NHS bodies. It is the Government's view that this will encourage NHS bodies to improve their compliance with the data protection framework, incentivise NHS data controllers to sign up to consensual audits and improve public confidence in regards to the protection of sensitive personal data by NHS bodies.

Why does the ICO want to carry out compulsory audits of the NHS?

In 2011 the Information Commissioner recommended to the Ministry of Justice that its powers should be extended to carry out compulsory assessments of the compliance with data protection principles by the NHS. The ICO based its recommendations on the following factors:

  • The health sector processes large amounts of sensitive personal data;
  • The ICO receives a high number of complaints and self-reported breaches of the DPA by NHS bodies;
  • The ICO’s Good Practice team have identified many examples of significant risks to individuals’ personal data in its consensual audits of the NHS; and
  • The number of consensual audits of NHS bodies (53%) is significantly below the average across the public sector as a whole (71%).

In March 2013 the Ministry of Justice published a consultation paper Assessment Notices under the Data Protection Act 1998, Extension of the Information Commissioner’s Powers which invited comments on whether the ICO should have the power to serve any NHS body with an assessment notice to establish whether the NHS body was complying with the DPA.

What was the response to the consultation?

On 15 July 2014 the Ministry of Justice published the response to this consultation. The majority of responses supported compulsory audits of NHS bodies' compliance with the DPA. This was because:

  • Powers of compulsory audit would lead to an increase in the uptake of consensual audits by NHS bodies. This would enable the ICO to work with NHS bodies to identify risk and to endeavour to prevent serious incidents happening.
  • Respondents recognised that the ICO aimed to establish a participative approach where possible encouraging consensual audits and viewed the power to serve an assessment notice as a necessary tool.

Those responses not in support were because:

  • Powers of compulsory audit would place additional burdens on an already heavily regulated sector.
  • Respondents also highlighted that an increased number of NHS services were being delivered by private sector organisations and believed that action should be taken to raise reporting levels amongst private sector organisations.

Purpose of the proposed power

The proposed power of compulsory DPA audit of NHS bodies is intended to allow the ICO to review their processes, policies and procedures to ensure compliance with the data protection principles. The proposed power is not intended to be used for the investigation of individual breaches of the DPA.

In response to a request from the ICO, the power would require NHS bodies to allow the ICO to enter their premises; direct the ICO to documents of a specified description; assist the ICO to view information using equipment on the premises; and permit the ICO to observe the processing of any personal data which takes place on the premises.

Guidance

The response also included some questions and answers which responded to the main concerns raised and gave the following guidance on how the proposed system would operate:

  • An NHS body would be audited by the ICO when identified on a risk assessment basis.
  • The scope of a proposed audit consists of five areas. Usually the ICO would agree three areas for assessment with the data controller.  However the ICO would also take into account any other relevant information, for example information relating to complaints.
  • Visits would not be unannounced and compulsory audits would only be conducted when a data controller had not responded to a request for a consensual audit or had refused consent without adequate reason. The ICO would conduct as much of the audit as possible off site in order that time on site would be limited to a maximum of three days.
  • The ICO would try to conduct a consensual audit in the first instance.
  • The ICO is working closely with the Health and Social Care Information Centre in the development of the IG Toolkit to ensure that there is minimal duplication. It will still be a requirement to complete the IG Toolkit.
  • The ICO has recently accepted a place as observer on the CQC National Information Governance Committee and they will continue to review its processes in light of engagement with all interested stakeholders.
  • The ICO has its own control framework and the auditors are familiar with the IG toolkit. The ICO is also aware of the CQC Essential Standards and will continue to review their procedures to ensure they are consistent.
  • There will be an overall assurance rating of compliance with DPA which is detailed in the Assessment Notices Code of Practice.

Which organisations will the power apply to and what is the timeframe?

When introduced, the ICO's new power of compulsory audit will apply to a range of NHS bodies such as Foundation Trusts, GP Practices, Clinical Commissioning Groups and also the Health and Social Care Information Centre. It will not include private and third party sector companies providing NHS services such as pharmacies, opticians and dentists although this will be kept under review. It is intended that legislation introducing the ICO's new power will come into force by the end of this year and will be reviewed within five years.

NHS organisations will no doubt be keen to ensure that their data protection policies and practices are robust, in preparation for the introduction of compulsory audits. In recent years a number of health bodies have been subject to enforcement action by the ICO. Only two weeks ago the ICO found Betsi Cadwaladr University Health Board in breach of the DPA after sensitive information was sent to the wrong address. An ICO investigation found that the employee responsible for the mistake had not received any form of data protection training. Compulsory audits may result in an increasing number of data breaches being unearthed.

Claire Bentley is an Associate – PSL, Emma Godding is an Associate – Information Lawyer and Jane Bennett is an Associate at Bevan Brittan. Claire can be contacted on 0870 194 1603 or This email address is being protected from spambots. You need JavaScript enabled to view it..