MoJ consults on compulsory data protection audits of NHS bodies

March 26, 2013

The Ministry of Justice has launched a consultation on proposals to extend the powers of the Information Commissioner to carry out compulsory assessments of NHS bodies’ compliance with data protection laws.

The move would see NHS bodies in England, Wales, Scotland and Northern Ireland designated under s. 41A(2)(b) of the Data Protection Act 1998.

The consultation paper revealed that the ICO had received 5,315 complaints of potential data protection breaches from individuals since 2007 (1,167 alone in 2012).

This made it the sector generating the fourth highest number of complaints, after lenders, local government, and general business.

So far the Information Commissioner has issued six monetary penalty notices against NHS bodies. The highest was the £325,000 levied against Brighton and Sussex University Hospitals NHS Trust, after hard drives containing sensitive personal data were sold on an internet auction site.

The MoJ said: “The evidence….clearly demonstrates that the NHS is an area where there are already significant and widespread data protection compliance concerns.

“Data controllers in these sectors are managing huge quantities of complex and often sensitive personal data, they are often involved in wide scale data sharing initiatives and engaging multiple data processors. The nature of the personal data held by these organisations is such that a breach of the DPA often has particular potential to cause real distress and harm.”

The MoJ said that the pressures on organisations in these sectors were only likely to increase in the next few years.

“The NHS in particular is entering a period of huge restructure which will involve responsibility for sensitive personal data shifting to completely new bodies,” it argued.

The consultation paper added: “The Information Commissioner already invests significant time and effort providing advice and guidance to those trying to comply. He can and does use the powers available to him to take action against organisations that breach the rules.

“In these sectors in particular the ability to compel data controllers to allow the Information Commissioner to audit their practices is an essential tool to identify and mitigate risks before serious problems occur…. Simply relying on organisations agreeing to an audit is not sufficient.”

The Ministry argued that a power of compulsion was needed even if in practice this served mainly as an incentive to organisations to sign up to a consensual audit.

“The value of the audit process is clearly illustrated and the extension of the assessment notice power will provide a clear basis for the Information Commissioner to improve data protection compliance in these areas of significant risk.”

The Information Commissioner’s call for extension of its powers to hold compulsory audits to NHS trusts (and councils) was backed last week by the Justice Committee.

In a report, the MPs said: “It is shocking that public sector organisations, which hold highly sensitive data, should refuse a free audit, and even more so in cases where there are serious concerns over the security of that data.

“It is indicative of a culture in some public authorities in which data protection and privacy do not register as being sufficiently important.”

More information on the MoJ consultation can be obtained here. The consultation runs until 17 May 2013.