The Ministry of Justice has launched a consultation proposing to make NHS organisations subject to compulsory data protection audits by the Government's watchdog, the Information Commissioner's Office (ICO).
The consultation comes as no surprise following the ICO's business case in December 2011 outlining why such powers are needed. Several subsequent high-profile data security breaches in the NHS have also heightened the issue, as discussed in our earlier alert on data protection compliance in the public sector.
Currently, the ICO only has compulsory audit powers over central government departments under the Data Protection Act (Act), but must obtain consent from other organisations (public or private) before it can investigate their procedures. Although the ICO already has a range of other powers to sanction organisations found in breach of the Act, including imposing undertakings and financial penalties, "the ability to serve an assessment notice provides the opportunity to identify and mitigate risks before a breach occurs".
The timing of the consultation is telling given that, "the NHS in particular is entering a period of huge restructure which will involve responsibility for sensitive personal data shifting to completely new bodies". The fact that the consultation period overlaps the abolition of Strategic Health Authorities and Primary Care Trusts and the emergence of Clinical Commissioning Groups makes it even more pertinent. The Government clearly wants to act now "... for risk areas to be identified and practices to be improved..." to help prevent further data protection breaches by the NHS as restructuring takes place.
While some consensual audits between the ICO and NHS organisations have taken place, only 53% of those NHS organisations referred for audit by the ICO's enforcement team have committed to an audit. This compares to 71% across the public sector as a whole.
Therefore, the current position of "...simply relying on organisations agreeing to an audit is not sufficient. A power of compulsion is needed even if in practice this serves mainly as an incentive to organisations to sign up to consensual audit". The ICO has not, to date, had to serve an assessment notice, as all central government bodies covered by the existing compulsory audit powers have agreed to an audit. They have done so knowing they are simply prolonging the inevitable if the ICO were to serve an assessment notice.
Having the teeth to exercise such powers will mean that all NHS organisations will have nowhere to hide, "particularly those who know their processes and controls are insufficient".
NHS bodies across the UK together with Monitor and the Care Quality Commission are being asked to respond to just one question by 17 May 2013:
"Do you agree that the Information Commissioner should be given powers under the Data Protection Act 1998 to carry out non-consensual assessments of data of NHS bodies for compliance with the Act?"
The responses received may shape the extent of any compulsory audit powers granted, but it seems likely that the ICO's desire to have such powers will be granted in some form.
It is therefore imperative that NHS bodies review and update what measures are, or are not, in place to protect sensitive personal data. The action points outlined in our earlier alert offer organisations practical guidance on how to effectively protect personal data and avoid fines.
Good data security by the NHS and the restoring and building of patient and public confidence in NHS data is fundamental to service redesign, R&D, improved analytics, the deployment of 'connected health' and the development of integrated care. So, getting information governance and data security right is much more important than simply avoiding fines.