Case Law Update – Mental Health Act 1983
Oct 24 2024
Bevan Brittan Education Lunchtime Training Webinars 2024
Read MoreThe Government believes that there is a compelling case for extending the Information Commissioner's powers of compulsory audit of NHS bodies. It is the Government's view that this will encourage NHS bodies to improve their compliance with the data protection framework, incentivise NHS data controllers to sign up to consensual audits and improve public confidence in regards to the protection of sensitive personal data by NHS bodies.
The Government believes that there is a compelling case for extending the Information Commissioner's powers of compulsory audit of NHS bodies. It is the Government's view that this will encourage NHS bodies to improve their compliance with the data protection framework, incentivise NHS data controllers to sign up to consensual audits and improve public confidence in regards to the protection of sensitive personal data by NHS bodies.
In this article we cover:
In 2011 the Information Commissioner recommended to the Ministry of Justice that its powers should be extended to carry out compulsory assessments of the compliance with data protection principles by the NHS. The ICO based its recommendations on the following factors:
In March 2013 the Ministry of Justice published a consultation paper "Assessment Notices under the Data Protection Act 1998, Extension of the Information Commissioner’s Powers" which invited comments on whether the ICO should have the power to serve any NHS body with an assessment notice to establish whether the NHS body was complying with the DPA.
On 15 July 2014 the Ministry of Justice published the response to this consultation. The majority of responses supported compulsory audits of NHS bodies' compliance with the DPA. This was because:
Those responses not in support were because:
The proposed power of compulsory DPA audit of NHS bodies is intended to allow the ICO to review their processes, policies and procedures to ensure compliance with the data protection principles. The proposed power is not intended to be used for the investigation of individual breaches of the DPA.
In response to a request from the ICO, the power would require NHS bodies to allow the ICO to enter their premises; direct the ICO to documents of a specified description; assist the ICO to view information using equipment on the premises; and permit the ICO to observe the processing of any personal data which takes place on the premises.
The response also included some questions and answers which responded to the main concerns raised and gave the following guidance on how the proposed system would operate:
When introduced, the ICO's new power of compulsory audit will apply to a range of NHS bodies such as Foundation Trusts, GP Practices, Clinical Commissioning Groups and also the Health and Social Care Information Centre. It will not include private and third party sector companies providing NHS services such as pharmacies, opticians and dentists although this will be kept under review. It is intended that legislation introducing the ICO's new power will come into force by the end of this year and will be reviewed within 5 years.
NHS organisations will wish to ensure that their data protection policies and practices are robust, in preparation for the introduction of compulsory audits. In recent years a number of health bodies have been subject to enforcement action by the ICO. Only two weeks ago the ICO found Betsi Cadwaladr University Health Board in breach of the DPA after sensitive information was sent to the wrong address. An ICO investigation found that the employee responsible for the mistake had not received any form of data protection training. Compulsory audits may result in an increasing number of data breaches being unearthed.
Bevan Brittan has a dedicated information law team who can advise and assist in dealing with all aspects of the Data Protection Act.
We can assist you with:
We use necessary cookies to make our site work. We'd also like to set optional analytics cookies to help us improve it. We won't set optional cookies unless you enable them. Using this tool will set a cookie on your device to remember your preferences. For more detailed information about the cookies we use, see our Cookies page.
Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.
We'd like to set Google Analytics cookies to help us to improve our website by collection and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone.
For more information on how these cookies work, please see our Cookies page.