ICO to pursue data breach cases against successors to axed NHS bodies

The Information Commissioner’s Office will pursue existing data protection cases against those organisations that have taken on accountability and the legal liabilities of now disbanded health bodies.

The government’s reforms, through the Health and Social Care Act, have seen primary care trusts and strategic health authorities axed and new organisations such as clinical commissioning groups and NHS England set up.

Writing on the ICO’s blog, Dawn Monaghan, its Strategic Liaison Group Manager – Public Services, said the health sector continued to be a priority area for the watchdog.

The Information Commissioner has previously imposed fines of more than a million pounds in total against a number of NHS bodies for data protection breaches.

The organisations affected have included the Brighton and Sussex University Hospitals NHS Trust (£325,000), Belfast Health and Social Care Trust (£225,000) and Torbay Care Trust (£175,000).

Monaghan said: “We have numerous ongoing issues, complaints and investigations relating to bodies that are now disbanded.”

She argued that continuing to pursue those cases would ensure “lessons continue to be learned and failings are recognised”.

Monaghan also revealed that the ICO continued to have reservations about the sharing of data between health bodies.

“Too often the Data Protection Act is used as a barrier to sharing data when in reality, if used correctly, it can be an enabler to safe, appropriate and beneficial sharing,” she insisted.

“Ensuring organisations understand why, when and how to share remains a priority for us. We are confident that the upcoming report from the Information Governance Review will assist in facilitating and supporting our efforts in this area.”

The ICO’s Strategic Liaison Group Manager – Public Services also revealed that several GPs had recently contacted the watchdog concerned that they were being asked to supply information to the Health and Social Care Information Centre, via third party contractors.

“They have concerns that patients are not being told that their information will be shared in this way and that they will be in breach of the Data Protection Act by sharing their data,” she said.

On this issue, Monaghan said a data controller had a legal obligation to ensure that it was complying with the Data Protection Act when sharing personal information. She highlighted the ICO’s data sharing code of practice, which provided guidance on how this could be achieved.

“However, from the start of this week the Health and Social Care Information Centre has the power under s259 of the Health and Social Care Act ‘to require and request provision of information’,” Monaghan said.

“We are now working closely with the Health and Social Care Information Centre and others to determine whether this power relieves a data controller from their obligations under the Data Protection Act. Either way, the information must be sought from the data controller and not from a third party data processor, which does not have the right to provide the information without instruction from the controller.”

Monaghan said that many of the breaches leading to monetary penalties for NHS bodies had resulted in the loss of patient data, “the majority of which could have been avoided if adequate policies and procedures had been in place and properly implemented”.

She added: “This is why it is vital that we continue to help and support the organisations involved in the new NHS framework to make sure they are fit for purpose.  

“For over a year, we have been working with key stakeholders such as the Department of Health and the National Information Governance Board to ensure new bodies, and those which have now been disbanded, fully appreciate what is required in order for them to comply with the Data Protection Act, as well as meeting their legal requirements when responding to freedom of information requests.”

This work has included dealing with such issues as determining who the data controller is for the new Clinical Support Units, now NHS England, and for the Data Management Integration Centres, which will become part of the Health and Social Care Information Centre and assume the responsibilities of data controller.

Monaghan said the ICO had recommended that, where appropriate, organisations undertake privacy impact assessments and make sure the personal information they are processing is kept secure and is being handled in compliance with the eight principles of the Data Protection Act.

“We have also encouraged all those involved in the new framework to fully inform the public what they do and to be transparent about what, why, how and when they collect and use data,” she said. “They should also provide individuals with a means of contacting them in case they have any outstanding concerns.”

The ICO has also published FAQs designed to cover queries raised by those working in the health service and the wider public.