From 1 February 2015, the ICO will be able to subject public healthcare organisations to compulsory audits of their data protection compliance under section 41A of the Data Protection Act 1998.
Until now, these compulsory audits have only applied to central government departments. But under the Data Protection (assessment Notices) (Designation of National Health Services Bodies) Order 2014, the Secretary of State has broadened the scope of the ICO's compulsory audit rights to a wide group of NHS bodies in England, Scotland, Wales and Northern Ireland. This will enable the ICO to review how the NHS handles its patients' personal information, including by reviewing healthcare organisations' data security measures, records management, staff training, data sharing policies and procedures and internal privacy-related governance.
This new audit right does not extend to private bodies providing healthcare within public bodies. For the full list of the organisations that are caught, please see here.The Information Commissioner has welcomed the change, which comes after years of lobbying by the ICO as a result of the high level of serious non-compliance in the sector.Christopher Graham, the Information Commissioner, said:
“The Health Service holds some of the most sensitive personal information available, but instead of leading the way in how it looks after that information, the NHS is one of the worst performers. This is a major cause for concern.
“Time and time again we see data breaches caused by poor procedures and insufficient training. It simply isn’t good enough.
“We fine these organisations when they get it wrong, but this new power to force our way into the worst performing parts of the health sector will give us a chance to act before a breach happens. It’s a reassuring step for patients.”
As the ICO has been pressing for these powers so some time, we expect that it will exercise its new powers soon. NHS organisations should prepare themselves for greater scrutiny from now on.