On 15th July 2014, the Ministry of Justice announced that the Information Commissioner’s Office (“ICO”) is to be given new powers by the end of the year to carry out compulsory data protection audits of public NHS bodies.
The ICO can already carry out consensual audits of NHS bodies, but has long argued that simply relying on organisations to agree to an audit is not sufficient to address the significant compliance problems within the NHS.
At present even after compulsory audits have been initiated by the ICO serving “an assessment notice” data controllers can still agree to consensual audits. According to the Ministry of Justice, no assessment notices have yet been served because all those who fall within the scope of the existing compulsory audit powers have agreed to an audit when asked to do so by the ICO. This means that the mere existence of the power of compulsory audit has been enough to secure compliance.
This is also the way in which the ICO envisages using the new powers when introduced. Compulsory audits will only be carried out when a data controller has failed to respond to a request for a consensual audit or has refused consent without adequate reason. In addition, NHS bodies will be audited by the ICO when identified on a risk assessment basis.
What is the aim of compulsory audits?
Compulsory audit of NHS bodies is intended to allow the ICO to review their processes, policies and procedures to ensure compliance with the data protection principles. The proposed power is not intended to be used for the investigation of individual breaches of the DPA.
What will it mean for NHS bodies?
The power would require NHS bodies to allow the ICO to enter their premises, direct the ICO to documents of a specified description, assist the ICO to view information using equipment on the premises and permit the ICO to observe the processing of any personal data which takes places on the premises.
The ICO have said that visits would not be unannounced and that it would conduct as much of the audit as possible off site in order that time on site would be limited to a maximum of three days.
The ICO would try to conduct a consensual audit in the first instance.
More work for NHS bodies?
The ICO has responded to concerns that compulsory audits would place additional burdens on an already heavily regulated sector by stating that it is working closely with the Health and Social Care Information Centre in the development of the IG Toolkit to ensure that there is minimal duplication. The ICO has also stated that it is aware of the CQC Essential Standards and will continue to review its own procedures to ensure that they are consistent.
Who will the new power apply to?
The new power, when it is introduced, will extend to all those NHS bodies that are currently subject to the freedom of information legislation: namely, public sector providers of NHS services such as NHS Foundation Trusts, GP practices, Clinical Commissioning Groups and the Health and Social Care Information Centre. It will not initially extend to cover private and third sector providers of NHS services, although this will be kept under review.
It is hard to see private and third sector providers should be treated differently, when they operate in the same market, handle sensitive personal data that has the potential to cause real damage and harm if not processed in accordance with the DPA, and are also already required to comply with the DPA.
The new power - a good thing?
The new power seems to be a new tool in the ICO’s toolkit to encourage NHS bodies to ensure that their processes, policies and procedures comply with the data protection principles rather than a means of unearthing and enforcing breaches of the DPA. As a backstop for encouraging NHS bodies to get their DPA house in order, this must be a good thing. But surely a good thing that should apply to all providers of NHS services not just NHS bodies.
The Ministry of Justice consultation outcome: Extension of the Information Commissioner’s powers under the Data Protection Act 1998