Distinguishing unwise decision-making from lacking capacity
Dec 12 2023
Bevan Brittan Education Lunchtime Training Webinars 2023Read More
The Government believes that there is a compelling case for extending the Information Commissioner's powers of compulsory audit of NHS bodies. It is the Government's view that this will encourage NHS bodies to improve their compliance with the data protection framework, incentivise NHS data controllers to sign up to consensual audits and improve public confidence in regards to the protection of sensitive personal data by NHS bodies.
In this article we cover:
|Why does the ICO want to carry out compulsory audits of the NHS?|
|What was the response to the consultation?|
|What is the purpose of the proposed power?|
|Which organisations will the power apply to and what is the timeframe?|
|How can we help?|
In 2011 the Information Commissioner recommended to the Ministry of Justice that its powers should be extended to carry out compulsory assessments of the compliance with data protection principles by the NHS. The ICO based its recommendations on the following factors:
In March 2013 the Ministry of Justice published a consultation paper "Assessment Notices under the Data Protection Act 1998, Extension of the Information Commissioner’s Powers" which invited comments on whether the ICO should have the power to serve any NHS body with an assessment notice to establish whether the NHS body was complying with the DPA.
On 15 July 2014 the Ministry of Justice published the response to this consultation. The majority of responses supported compulsory audits of NHS bodies' compliance with the DPA. This was because:
Those responses not in support were because:
The proposed power of compulsory DPA audit of NHS bodies is intended to allow the ICO to review their processes, policies and procedures to ensure compliance with the data protection principles. The proposed power is not intended to be used for the investigation of individual breaches of the DPA.
In response to a request from the ICO, the power would require NHS bodies to allow the ICO to enter their premises; direct the ICO to documents of a specified description; assist the ICO to view information using equipment on the premises; and permit the ICO to observe the processing of any personal data which takes place on the premises.
The response also included some questions and answers which responded to the main concerns raised and gave the following guidance on how the proposed system would operate:
When introduced, the ICO's new power of compulsory audit will apply to a range of NHS bodies such as Foundation Trusts, GP Practices, Clinical Commissioning Groups and also the Health and Social Care Information Centre. It will not include private and third party sector companies providing NHS services such as pharmacies, opticians and dentists although this will be kept under review. It is intended that legislation introducing the ICO's new power will come into force by the end of this year and will be reviewed within 5 years.
NHS organisations will wish to ensure that their data protection policies and practices are robust, in preparation for the introduction of compulsory audits. In recent years a number of health bodies have been subject to enforcement action by the ICO. Only two weeks ago the ICO found Betsi Cadwaladr University Health Board in breach of the DPA after sensitive information was sent to the wrong address. An ICO investigation found that the employee responsible for the mistake had not received any form of data protection training. Compulsory audits may result in an increasing number of data breaches being unearthed.
Bevan Brittan has a dedicated information law team who can advise and assist in dealing with all aspects of the Data Protection Act.
We can assist you with: