Public Services > Healthcare

ICO given expanded health data audit powers

Neil Merrett Published 02 February 2015

Data regulator now able to undertake compulsory audits of UK healthcare bodies over their data protection and sharing policies


NHS authorities could find themselves facing compulsory audits of their ability to securely share and protect patient data under new powers given to the Information Commissioner's Office (ICO) to prevent potential breaches.

The data regulator said it was able to subject organisations including trusts, GP services and community healthcare councils to compulsory audits of their data protection initiatives as of February 1. These compulsory audit powers have only been previously applied to central government departments.

An ICO spokesperson said the extended powers granted under the law would allow it to audit how NHS organisations handle patient information, while reviewing policy around security, records management, staff training and data sharing plans. The powers may increase scrutiny on officials, including perhaps chief information officers (CIOs), responsible for data.

The ICO could not comment on the specific focuses it may undertake with its new powers, or where the onus may now lie for patient data management among healthcare bodies, but said it will carry out audits using a "risk-based approach".

A compulsory audit would therefore be undertaken where a risk assessment notes a potential problem - though any organisation will first be asked for consent, the ICO said. NHS organisations and equivalent bodies in Scotland, Wales and Northern Ireland could all face audits concerning how they comply with section 41A of the Data Protection Act (DPA).

Information commissioner Christopher Graham said that despite holding some of the "most sensitive personal information available", the NHS was failing to lead the way in looking after patient information, and was one of the worst performers.

"Time and time again we see data breaches caused by poor procedures and insufficient training. It simply isn't good enough," he said.

"We fine these organisations when they get it wrong, but this new power to force our way into the worst performing parts of the health sector will give us a chance to act before a breach happens. It's a reassuring step for patients."

The new powers for the ICO come at a time where data management is a key issue for UK Health authorities, which continue to back the need for record sharing projects - such as NHS England's delayed initiative - as a means to drive more efficient, integrated healthcare.

These schemes have proved controversial with pressure groups concerned over the confidentiality implications of sharing personal data concerning medical and mental health histories - with calls for all patients to opt in to having their details included, rather than presently allowing them to opt out.

With a formalised launch date for trials of NHS England's project at select GP practices yet to be announced, MedConfidential - described as a non-partisan patient organisation - has itself called for government to simplify the opt out process for those not wishing to share personal details other than when needed for direct care.

In a recently published proposal document, MedConfidential has backed establishing a single opt out option within the NHS Spine infrastructure that would allow patients to decline to provide individual-level data for any other purpose than their personal care and treatment.

Last month, National Data Guardian Dame Fiona Caldicott said it would be "reasonable" to proceed with selective trials of, but clarifications were first needed concerning 27 questions over privacy and the wider scope of the programme.

Related articles:

HSCIC secure facility to open by March

Caldicott calls for clarification

Legal reform key to health department patient data drive

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.