The ICO has welcomed a change in legislation which came into effect on 1 February 2015 enabling it to audit National Health Service (NHS) bodies to check for compliance with the UK Data Protection Act 1998. The ICO now has the authority to assess the compliance of a number of bodies within the NHS, including NHS foundation trusts, GP surgeries, NHS Trusts, and Community Healthcare Councils. According to the ICO, the remit of the ICO’s new powers will not extend to private companies providing services within public healthcare.
Whilst the ICO has the power to fine organizations that breach data protection laws, its objective has over time become more proactive than reactive: encouraging organizations to solve the problem before a breach occurs is the ICO’s end goal.
Previously, the ICO could impose audits only on government departments, and only public authorities, ISPs, and telecommunication companies have been under a legal duty to notify breaches. Now the ICO will be able to audit and review how the NHS handles patients’ personal information, and can review related areas including security of data, records management, staff training, and data sharing.
There is no doubt that the NHS holds some of the most sensitive personal information available, and in recent times it has been under scrutiny in relation to the way in which it safeguards the security of that information. Issues with procedures and training have contributed to a number of data security breaches, including, for example, the theft of a laptop from an unlocked store room at the headquarters of NHS Central London’s strategic health authority in 2011, which contained details of 8.3 million patients.
The ICO first issued a financial penalty to the NHS of £70,000 in 2012 after personal information was sent to the wrong patient. Since then, the ICO has issued fines totaling £1.3m to organizations within the NHS.