GLD Vacancies

ICO sets out stall for compulsory audits in local government and NHS

There are significant and widespread data protection compliance concerns in the local government and NHS sectors and these justify the introduction of compulsory audit powers, the Information Commissioner has argued in a business case submitted to the Ministry of Justice.

Making the case for an extension of its assessment notice powers under s. 41A(2)(b) of the Data Protection Act 1998, the watchdog said compulsory audits were “an essential tool to identify and mitigate risks before serious problems occur”. It argued that simply relying on organisations agreeing to an audit was not sufficient.

The ICO said: “Data controllers in these sectors are managing huge quantities of complex and often sensitive personal data, they are often involved in wide scale data sharing initiatives and engaging multiple data processors. The nature of the personal data held by these organisations is such that a breach of the DPA often has particular potential to cause real distress and harm.”

The watchdog said that compliance problems were already evident and warned that the pressures on organisations in the two sectors were only likely to increase in the next few years. “The NHS in particular is entering a period of huge restructure which will involve responsibility for sensitive personal data shifting to completely new bodies,” the business case suggested.

The ICO pointed to the dismantling of Strategic Health Authorities and Primary Care Trusts to be replaced by Clinical Commissioning Boards. “Responsibility for public health initiatives (and in some cases treatment of individuals) is to be passed from the NHS to local authorities,” it added.

“Local government’s involvement with the third sector and outsourcing of services is set to continue. This reorganisation, huge transfers of personal data and potential confusion over responsibilities, has the potential to create more significant data protection risk.”

The ICO argued that these risks were likely to be particularly acute over the next few years, but added that the underlying problems were not short term issues. “The long term ability to conduct compulsory audits (subject to review every five years) would allow the Information Commissioner to intervene where there are significant concerns, see what is happening in practice and provide practical recommendations to mitigate identified risks,” it said.

The ICO argued that there was “a clear case to extend the power to serve an assessment notice to cover all the public, private or third sector organisations who deliver public funded health care services in the UK”.

It added that the definition of ‘local authority’ in the Code of Recommended Practice for Local Authorities on Data Transparency provided a logical basis for seting out the scope of the organisations in the sector that should be subject to the extended powers. "This includes a cut off for parish councils with an income of below £20k," it said.

The watchdog said it was already investing significant time and effort in providing advice and guidance to those trying to comply. “The Information Commissioner can and does use the powers available to him to take action against organisations that breach the rules,” it added.

However, the ICO insisted that a power of compulsion was needed even if in practice this served mainly as an incentive to organisations to sign up to a consensual audit. Since 2007, the watchdog has conducted 18 consensual audits in the NHS and 15 in local government.

“The value of the audit process is clearly illustrated and the extension of the assessment notice power will provide a clear basis for the Information Commissioner to improve data protection compliance in these areas of significant risk,” the business case argued.

It also revealed that the Information Commissioner saw the extension of his powers as a backstop, “albeit a necessary one”.

According to the business case, the Information Commissioner expects it will be only rarely that he has to go as far as serving a formal assessment notice. “His experience with central government [where departments are already subject to compulsory audit powers] tells him that the existence of a compulsory audit power is a strong driver in persuading data controllers to sign up to a consensual audit.”

The ICO claimed that the success of having this power in practice had been “clearly illustrated by the fact that the Information Commissioner has not had to serve an assessment notice to date”. All of those central government data controllers currently covered which had been asked to agree a consensual audit had done so.

The business case reported that many consensual audits in the NHS and local government only came about because a problem had already occurred and the ICO was able to exert pressure on the organisation. But only 53% of NHS organisations referred by the watchdog’s enforcement team for an audit ultimately committed to an audit. Fewer than half (47%) of the local authorities contacted agreed to undergo the process.

The business case provided a range of data as evidence of compliance problems in local government and NHS. It revealed that:

  • Local government generated more complaints of potential data protection breaches from individuals between 2007 and 2011, at 4,110, than any other sector. It was followed by general business (3,702) and health (3,701)
  • Some 1,589 complaints were upheld against local government and 1,237 against the health sector. The most common basis for upheld complaints was a failure to comply with an individual’s right of access to their information. This was followed by breaches of security and inappropriate/unauthorised disclosures of data
  • Private businesses have self-reported 620 breaches since 2007. The NHS had reported 552 cases and local government notified 381 cases
  • The majority of problems reported directly to the ICO related to security issues such as loss or theft of personal data. “The range of concerns identified indicates procedural and human failures across a range of areas”
  • It is especially difficult to assess the security of manual data without an audit. In the NHS this issue was often graded by the ICO as a significant risk. “Specific problems included lockable storage not being used, patient records left in reception trays openly accessible and insecure confidential waste bins”
  • Other issues in the NHS included unencrypted mobile media holding sensitive personal data, weaknesses in training, lack of monitoring of compliance and lack of practical application of records management policies
  • Recurring issues in local government identified by audits included a lack of records regarding data sharing, a failure to encrypt laptops and mobile media, poor weeding or destruction of records, inadequate systems in place for the monitoring of subject access requests. Site visits by the ICO also often revealed that adherence to policies was not being monitored.

The ICO’s business case gave a number of examples of specific breaches reported by local government and the NHS over the last six months. They included: the personal data of 1,822 staff being accidentally shared via e-mail to a clinical reference group; documents including clinical information relating to 147 patients being found on the ground outside a hospital; three faxes for individual patients containing sensitive personal data being sent on three different dates to the wrong person; and a spreadsheet containing personal details of 200 housing waiting list customers being emailed in error to just over 150 recipients.

Examples were also provided of recent undertakings given by bodies in the two sectors, as well as the monetary penalties levied so far on local authorities.

The business case revealed that the private sector and other parts of the public sector will not be subject to compulsory audit powers at this stage – despite the ICO acknowledging that they controlled huge volumes of personal data and there was evidence that significant compliance problems existed in those areas.

“Going forward, where the evidence supports the case, the Information Commissioner will recommend the extension of the assessment power in other areas,” the business case said.

“He is already collecting evidence and developing a case to support an extension to some categories of data controllers in the private sector. In the meantime he will continue identifying problem areas, promoting the benefits of consensual audits and monitoring take up across the public and private sector.”

Speaking at a data protection conference in London in October, the Information Commissioner Christopher Graham revealed that businesses were the sector currently generating the most data protection complaints. However, less than one in five companies contacted by the watchdog accepted an offer of undergoing an audit.

Graham said the ICO had written to 29 banks and building societies, but only six had agreed to an audit. Just two out of 19 insurance companies had accepted a similar offer from the watchdog.

An assessment notice served by the ICO under s. s. 41A(2)(b) can require a data controller to take a range of steps. These include: permitting the Information Commissioner to enter any specified premises; directing the Information Commissioner to any documents on the premises that are of a specified description; permitting the Information Commissioner to inspect or examine documents, information, equipment or material; permitting the Information Commissioner to observe the processing of any personal data; and making specified people available for interview.

The ICO said it was confident it would resource the additional audit activity, thanks to the introduction of the higher tier fee for notification.

A copy of the ICO’s business case can be downloaded here.

Philip Hoult