Health sector data protection audits

The Information Commissioner’s Office (ICO) has recently reported on its key findings from 19 audits carried out in the health sector between August 2012 and January 2014. 

The 19 organisations which were audited (which are not named in the report, but include NHS Trusts, health boards, health and social care trusts and companies providing health services) agreed to work with the ICO on a voluntary basis in order to assess their compliance with the Data Protection Act 1998 (DPA) and NHS information governance guidelines and to identify any areas requiring improvement. 

Organisations in the health sector handle and store some of the most sensitive personal data, for example, information about patients’ physical and/or mental health. As data controllers under the DPA, they are legally obliged to comply with the eight data processing principles set out in the DPA in respect of their ‘processing’ of such personal data. Amongst other things, this includes an obligation to take appropriate technical and organisational measures to keep such personal data secure (Principle 7).

Overall, the ICO found that there was some scope for improvement in existing practices in nine out of the 19 organisations and considerable scope for improvement in eight of the organisations. Only one of the audits suggested a substantial risk of non-compliance with the law.

Areas for improvement

The ICO’s report highlights the following areas for improvement:

  • Data protection policies and training

All of the organisations had data protection policies and procedures in place and, generally, their staff had a good awareness of the data protection policies. However, it was noted that compliance with the policies wasn’t always effectively monitored, for example through the use of spot checks.

  • Security of paper health records

All of the organisations had a system in place to track paper health records, although some did not conduct audits for missing files. Concern was raised about the physical security of files in some organisations and, in particular, the use of unlocked trollies for moving files. It was also noted that some organisations had little in the way of fire or flood protection in place for paper records.

  • Security of electronic records and devices

Concern also was raised about the lack of effective asset management in place for IT hardware and software in some organisations, which could give rise to the risk of an organisation not knowing what devices are in circulation and therefore not becoming aware if one is lost or stolen.  In addition, it was noted that there was generally a lack of simple password controls, notably forcing regular password changes.

There was also concern raised around the use of fax machines for sending personal information, given the human error associated with using a fax machine.


Although the audits give reasonable assurance that data protection law is largely being complied with in the health sector, the areas highlighted for improvement should not be completely unexpected given that they have also been the subject of recent complaints made to the ICO.  

Three recent cases, in particular, highlight the potential risk to the security of sensitive personal data where an organisation fails to put in place appropriate systems to protect and track records (particularly where records are taken off site) and/or to educate its staff in its data protection policies and procedures and, importantly, make checks to ensure that such policies and procedures are being put into practice. 

  1. Barking, Havering and Redbridge University Hospitals NHS Trust

In March 2014, the ICO issued an undertaking to Barking, Havering and Redbridge University Hospitals NHS Trust after it was found to have breached Principle 7 of the DPA following faxes containing personal information being accidently sent to a member of the public. Although the Trust had guidance and mandatory data protection training in place for staff, the ICO found that less than 40% of staff had actually received it. The Trust has signed an undertaking to improve its data protection practices, including a commitment to ensure staff attend the training provided and to keeping a record of those that have been trained and those that still need to attend.

  1. Neath Care case

Also in March this year, the ICO issued Neath Care (a Welsh home care provider) with an undertaking after an employee left the files of 10 vulnerable and elderly people (containing sensitive personal information relating to their health) on a street.  The ICO found that the provider had breached the DPA by failing to provide its staff with guidance explaining how sensitive personal information should be handled and kept secure when taken outside of the office. In addition, Neath Care had failed to put in place a basic record monitoring system, which meant that it only became aware that the papers were missing when the matter was reported to them by a member of the public. 

  1. Cardiff and Vale University Health Board

In October 2013, the ICO issued Cardiff and Vale University Health Board with an undertaking following a breach of the DPA which occurred when an employee lost his bag on his way home from work. The lost bag contained sensitive personal data including a mental health act tribunal report relating to a patient, a solicitor’s letter and five CV’s for job applications. The ICO found that alternative means of transporting the data were available (such as the use of an encrypted portable device) or, alternatively, the data could have been accessed remotely through a secure network, but this had not been clearly communicated to staff and the staff member involved had not received training at the time of the incident.


Information about a person’s health is one of the most sensitive types of personal data and patients have the right to expect that such information will be kept confidential and secure. Although the audits give reasonable assurance that data protection law is being complied with in health sector organisations, they also identified room for improvement in some areas.  

Organisations in the health sector would be wise to use this as an opportunity to review their existing practices and procedures and make improvements where necessary to ensure that they are handling personal data properly, as a breach could result in serious consequences.  In the cases discussed above, the ICO issued undertakings committing the organisations in question to improve compliance with the DPA. However, it should be noted that the ICO has wider enforcement powers, including criminal sanctions and/or monetary penalties up to a maximum of £500,000.  In addition, a breach could result in serious reputational damage and/or the possibility of a patient suing for compensation.