Information Commissioner wins right to force NHS bodies to submit to audits

The Information Commissioner is now able to force NHS bodies to submit to an audit of their compliance with the Data Protection Act, following a change in the law at the beginning of the month.

Compulsory audits have only applied to central government until this point.

From 1 February, the ICO can require an audit at NHS foundation trusts, GP surgeries, NHS Trusts and Community Healthcare Councils, and their equivalent bodies in Scotland, Wales and Northern Ireland under section 41A of the Data Protection Act.

The new legislation does not apply, however, to any private companies providing services within public healthcare.

Christopher Graham, the Information Commissioner, said: “The Health Service holds some of the most sensitive personal information available, but instead of leading the way in how it looks after that information, the NHS is one of the worst performers. This is a major cause for concern.

“Time and time again we see data breaches caused by poor procedures and insufficient training. It simply isn’t good enough. 

“We fine these organisations when they get it wrong, but this new power to force our way into the worst performing parts of the health sector will give us a chance to act before a breach happens. It’s a reassuring step for patients.”

The ICO has levied some of its highest monetary penalties on NHS bodies and £1.3m in total.

These penalties have included £200,000 on NHS Surrey in July 2013, £175,000 on Torbay Care Trust in August 2012 and £325,000 on Brighton and Sussex University Hospitals Trust in July 2012.