NHS to face compulsory data protection audits by law
The Information Commissioner's Office (ICO) now has the power to carry out compulsory data audits within NHS organisations
NHS organisations could now find themselves facing compulsory Data Protection Act audits from The Information Commissioner's Office (ICO), thanks to a recent change in the law.
The new legislation came into force on 1 February and allows the ICO to carry out compulsory data protection audits against NHS Trusts, GP surgeries and Community Healthcare Councils for the first time.
Private companies that provide services within the NHS will be exempt from taking part in compulsory audits.
The aim of the audits is to ascertain how NHS organisations handle patients' personal data, in terms of how it is secured, recorded, shared and how well trained staff are in protecting it.
Previously, the data protection watchdog only had the authority to carry out these types of data protection assessments on central government departments.
The NHS has traditionally had a hit and miss approach to data protection matters, with recent ICO figures revealing a massive spike in data breaches affecting the healthcare sector over the past 12 months.
Furthermore, the NHS was famously hit with a record data protection fine in 2012 totalling 325,000 after a Trust accidentally disclosed personal information belonging to thousands of staff and patients.
The data was found on hard drives sold via an internet auction site in 2010.
To date, the ICO has levied fines totalling 1.3 million against NHS organisations.
Christopher Graham, the Information Commissioner, said in a statement the NHS is one of the worst offenders for failing to keep personal data secured.
"The Health Service holds some of the most sensitive personal information available, but instead of leading the way in how it looks after that information, the NHS is one of the worst performers. This is a major cause for concern," Graham said. "Time and time again we see data breaches caused by poor procedures and insufficient training. It simply isn't good enough. "We fine these organisations when they get it wrong, but this new power to force our way into the worst performing parts of the health sector will give us a chance to act before a breach happens. It's a reassuring step for patients," he added.
Navigating the new normal: A fast guide to remote working
A smooth transition will support operations for years to comeDownload now
Leading the data race
The trends driving the future of data scienceDownload now
How to create 1:1 customer experiences at scale
Meet the technology capable of delivering the personalisation your customers craveDownload now
How to achieve daily SAP releases
Accelerate the pace of SAP change to support your digital strategyDownload now