ICO given new powers to audit the NHS

Posted on
Until 1 February 2015, the Information Commissioner’s powers to conduct a compulsory audit of data protection compliance under section 41A of the Data Protection Act 1998 (“DPA”), were limited to central government departments only. 

The Designation of National Health Service Bodies Order 2014 has now extended ICO powers of compulsory audit to NHS bodies; private providers of NHS services are unaffected.

The ICO’s new audit powers will enable the ICO to assess how data protection is dealt with by NHS foundation trusts, GP surgeries, NHS trusts and community healthcare councils in England, and their equivalent bodies (such as local health boards) in Wales, Scotland and Northern Ireland.   While the ICO will ordinarily seek to conduct audit of NHS bodies on a consensual basis, the extension of his powers of compulsory audit to the NHS reflects longstanding concern regarding data handling practices in the health sector.

The Information Commissioner, Christopher Graham, has expressed the hope that these new powers will drive improvements in NHS data handling and will give the ICO an early opportunity to take action before serious data breaches happen. 

What action could ICO take following a Section 41A audit?

Section 41A audits are seen as a means of encouraging compliance and good practice and do not ordinarily result in enforcement action. Where recommendations are made, it is open to the ICO to follow up the extent to which recommendations have been followed by means of seeking written assurances of action taken or by conducting a further audit. The ICO is not, however, precluded from taking enforcement action in relation to matters that come to light in the course of an audit and in cases of major non- compliance reserves the right to issue enforcement notices requiring corrective action to be taken. However, by virtue of section 55A(3A) DPA, the ICO’s power to issue a financial penalty notice in relation to serious data protection breaches is expressly excluded in the cases of data protection breaches that are identified in the course of an audit (whether consensual or compulsory).  

For further information regarding ICO audit please contact Heledd Lloyd-Jones or Julie Stokes, contact details below.