The Government believes that there is a compelling case for extending the Information Commissioner's powers of compulsory audit of NHS bodies.  It is the Government's view that this will encourage NHS bodies to improve their compliance with the data protection framework, incentivise NHS data controllers to sign up to consensual audits and improve public confidence in regards to the protection of sensitive personal data by NHS bodies.

In this article we cover:

 Why does the ICO want to carry out compulsory audits of the NHS?
 What was the response to the consultation?
 What is the purpose of the proposed power?
 Which organisations will the power apply to and what is the timeframe?
 How can we help?

Why does the ICO want to carry out compulsory audits of the NHS?

In 2011 the Information Commissioner recommended to the Ministry of Justice that its powers should be extended to carry out compulsory assessments of the compliance with data protection principles by the NHS. The ICO based its recommendations on the following factors:

  • The health sector processes large amounts of sensitive personal data;
  • The ICO receives a high number of complaints and self-reported breaches of the DPA by NHS bodies;
  • The ICO’s Good Practice team have identified many examples of significant risks to individuals’ personal data in its consensual audits of the NHS; and
  • The number of consensual audits of NHS bodies (53%) is significantly below the average across the public sector as a whole (71%).

In March 2013 the Ministry of Justice published a consultation paper "Assessment Notices under the Data Protection Act 1998, Extension of the Information Commissioner’s Powers" which invited comments on whether the ICO should have the power to serve any NHS body with an assessment notice to establish whether the NHS body was complying with the DPA.

What was the response to the consultation?

On 15 July 2014 the Ministry of Justice published the response to this consultation. The majority of responses supported compulsory audits of NHS bodies' compliance with the DPA. This was because:

  • Powers of compulsory audit would lead to an increase in the uptake of consensual audits by NHS bodies. This would enable the ICO to work with NHS bodies to identify risk and to endeavour to prevent serious incidents happening.
  • Respondents recognised that the ICO aimed to establish a participative approach where possible encouraging consensual audits and viewed the power to serve an assessment notice as a necessary tool.

Those responses not in support were because:

  • Powers of compulsory audit would place additional burdens on an already heavily regulated sector.
  • Respondents also highlighted that an increased number of NHS services were being delivered by private sector organisations and believed that action should be taken to raise reporting levels amongst private sector organisations.

Purpose of the proposed power

The proposed power of compulsory DPA audit of NHS bodies is intended to allow the ICO to review their processes, policies and procedures to ensure compliance with the data protection principles. The proposed power is not intended to be used for the investigation of individual breaches of the DPA.

In response to a request from the ICO, the power would require NHS bodies to allow the ICO to enter their premises; direct the ICO to documents of a specified description; assist the ICO to view information using equipment on the premises; and permit the ICO to observe the processing of any personal data which takes place on the premises.


The response also included some questions and answers which responded to the main concerns raised and gave the following guidance on how the proposed system would operate:

  • An NHS body would be audited by the ICO when identified on a risk assessment basis.
  • The scope of a proposed audit consists of five areas. Usually the ICO would agree three areas for assessment with the data controller.  However the ICO would also take into account any other relevant information, for example information relating to complaints.
  • Visits would not be unannounced and compulsory audits would only be conducted when a data controller had not responded to a request for a consensual audit or had refused consent without adequate reason. The ICO would conduct as much of the audit as possible off site in order that time on site would be limited to a maximum of three days.
  • The ICO would try to conduct a consensual audit in the first instance.
  • The ICO is working closely with the Health and Social Care Information Centre in the development of the IG Toolkit to ensure that there is minimal duplication. It will still be a requirement to complete the IG Toolkit.
  • The ICO has recently accepted a place as observer on the CQC National Information Governance Committee and they will continue to review its processes in light of engagement with all interested stakeholders.
  • The ICO has its own control framework and the auditors are familiar with the IG toolkit. The ICO is also aware of the CQC Essential Standards and will continue to review their procedures to ensure they are consistent.
  • There will be an overall assurance rating of compliance with DPA which is detailed in the Assessment Notices Code of Practice.

Which organisations will the power apply to and what is the timeframe?

When introduced, the ICO's new power of compulsory audit will apply to a range of NHS bodies such as Foundation Trusts, GP Practices, Clinical Commissioning Groups and also the Health and Social Care Information Centre. It will not include private and third party sector companies providing NHS services such as pharmacies, opticians and dentists although this will be kept under review. It is intended that legislation introducing the ICO's new power will come into force by the end of this year and will be reviewed within 5 years.

How can we help?

NHS organisations will wish to ensure that their data protection policies and practices are robust, in preparation for the introduction of compulsory audits. In recent years a number of health bodies have been subject to enforcement action by the ICO. Only two weeks ago the ICO found Betsi Cadwaladr University Health Board in breach of the DPA after sensitive information was sent to the wrong address. An ICO investigation found that the employee responsible for the mistake had not received any form of data protection training. Compulsory audits may result in an increasing number of data breaches being unearthed.

Bevan Brittan has a dedicated information law team who can advise and assist in dealing with all aspects of the Data Protection Act.

We can assist you with:

  • drafting or reviewing policies
  • advice in relation to processes ensuring appropriate systems and safeguards are in place
  • training staff
  • dealing with data breaches, including reputation management issues.

Our use of cookies

We use necessary cookies to make our site work. We'd also like to set optional analytics cookies to help us improve it. We won't set optional cookies unless you enable them. Using this tool will set a cookie on your device to remember your preferences. For more detailed information about the cookies we use, see our Cookies page.

Necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics cookies

We'd like to set Google Analytics cookies to help us to improve our website by collection and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone.
For more information on how these cookies work, please see our Cookies page.