From the start of February 2015, the Information Commissioner (ICO) has been given the power to subject public healthcare organisations to a compulsory audit. The ICO has welcomed a change in the law that will give his office the right to force NHS authorities to be audited for compliance with the Data Protection Act. These compulsory audits previously only applied to central government departments.
The audits review how the NHS handles patients’ personal information, and can review areas including security of data, records management, staff training and data sharing.
The ICO will be able to assess data protection by England’s NHS foundation trusts, GP surgeries, NHS Trusts and Community Healthcare Councils, and their equivalent bodies in Scotland, Wales and Northern Ireland under section 41A of the Data Protection Act. The new legislation will not apply to any private companies providing services within public healthcare.
Christopher Graham, the Information Commissioner, said: “The Health Service holds some of the most sensitive personal information available, but instead of leading the way in how it looks after that information, the NHS is one of the worst performers. This is a major cause for concern. Time and time again we see data breaches caused by poor procedures and insufficient training. It simply isn’t good enough. We fine these organisations when they get it wrong, but this new power to force our way into the worst performing parts of the health sector will give us a chance to act before a breach happens. It’s a reassuring step for patients.”
The ICO has issued fines totalling £1.3m to NHS organisations.