NHS to face compulsory data protection audits by law

News
By Caroline Donnelly
published

The Information Commissioner's Office (ICO) now has the power to carry out compulsory data audits within NHS organisations

Doctor NHS

NHS organisations could now find themselves facing compulsory Data Protection Act audits from The Information Commissioner's Office (ICO), thanks to a recent change in the law.

The new legislation came into force on 1 February and allows the ICO to carry out compulsory data protection audits against NHS Trusts, GP surgeries and Community Healthcare Councils for the first time.

Private companies that provide services within the NHS will be exempt from taking part in compulsory audits.

The aim of the audits is to ascertain how NHS organisations handle patients' personal data, in terms of how it is secured, recorded, shared and how well trained staff are in protecting it.

Previously, the data protection watchdog only had the authority to carry out these types of data protection assessments on central government departments.

The NHS has traditionally had a hit and miss approach to data protection matters, with recent ICO figures revealing a massive spike in data breaches affecting the healthcare sector over the past 12 months.

Furthermore, the NHS was famously hit with a record data protection fine in 2012 totalling 325,000 after a Trust accidentally disclosed personal information belonging to thousands of staff and patients.

The data was found on hard drives sold via an internet auction site in 2010.

To date, the ICO has levied fines totalling 1.3 million against NHS organisations.

Christopher Graham, the Information Commissioner, said in a statement the NHS is one of the worst offenders for failing to keep personal data secured.

"The Health Service holds some of the most sensitive personal information available, but instead of leading the way in how it looks after that information, the NHS is one of the worst performers. This is a major cause for concern," Graham said. "Time and time again we see data breaches caused by poor procedures and insufficient training. It simply isn't good enough. "We fine these organisations when they get it wrong, but this new power to force our way into the worst performing parts of the health sector will give us a chance to act before a breach happens. It's a reassuring step for patients," he added.

Caroline Donnelly
Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.