The Information Commissioner has asked for powers to carry out compulsory assessments of NHS bodies' compliance with the Data Protection Act 1998 (DPA).
As explained in the Consultation Paper, "Assessment Notices under the DPA 1998 - Extension of the Information Commissioner's Powers", the DPA currently grants the Information Commissioner the power to serve an assessment notice on an NHS organisation. This can require the relevant body to, for example, permit the Information Commissioner to inspect or examine any documents, information, equipment or material as necessary to enable him to determine whether the body has complied or is complying with the data protection principles.
Whilst the current provisions under the DPA provide the opportunity to mitigate risks before a breach occurs, they will more often be used when a breach has already been identified. Weaknesses within the relevant organisation' processes/procedures will be identified and advice provided to resolve problems.
The consultation paper suggests most audits that have already been conducted in the NHS have come about as referrals from the Information Commissioner’s enforcement team and where a serious data protection problem has occurred and been exposed. Even when such a problem has arisen, organisations can still be reluctant to agree to an audit. Of the NHS organisations referred for audit by enforcement, only 53 per cent (at the time the consultation opened) ultimately committed to an audit.
Why the NHS?
The NHS is one of the largest data controllers in the UK, processing a huge amount of sensitive personal data on a daily basis. In view of the nature and sensitivity of the personal data held by NHS organisations, any breach of the DPA has particular potential to cause real distress and harm. To maintain public confidence in the NHS, data losses and other breaches of the DPA must be avoided.
The Information Commissioner considers the public would reasonably expect all providers of NHS services to be subject to compulsory audit. Arguably compulsory audits and a proactive approach to investigating potential concerns may prevent serious breaches of the DPA. There have been several high profile examples of breaches recently, as highlighted in the consultation paper. There are also concerns that in view of the current restructuring of the NHS, responsibility for such sensitive personal data will shift to completely new bodies, thus generating an increased risk of breaches of the DPA.
An immediate concern is whether the proposed reforms will create a further administrative burden on the NHS and how this will be resourced.
The consultation paper makes the following points in this regard:
- The proposed changes impose no new obligations on NHS bodies themselves.
- It is intended that a memorandum of understanding will be prepared to avoid duplication of any burden on the NHS.
- The Information Commissioner’s Good Practice team is already set up to carry out this work, with suitably qualified staff in place.
- The Information Commissioner recognises the pressures of individual organisations. The audit process is designed to have as limited as possible an impact on the day to day operations of the data controller.
There are clear benefits to a move to compulsory assessments. A proactive rather than reactive approach to data protection breaches is to be welcomed. However, we wait to see details of the extent of the additional burden on the NHS when draft legislation is prepared. We will be keeping a close eye on developments.
The Ministry of Justice consultation closed on 17 May 2013.