Information Commissioner's Office
Printable version E-mail this to a friend

Health sector data protection audits highlight areas for improvement

An Information Commissioner’s Office report today gives a snapshot of organisations providing secondary health care and how they are complying with the Data Protection Act.

The report summarises key findings from 19 audits carried out primarily with NHS Trusts by the ICO. The audits looked at how personal data is handled by the organisation, and fit alongside NHS information governance guidelines. The organisations voluntarily agreed to work with the ICO to identify good practice and, where necessary, improve procedures relating to the handling of personal data. 

The Audits found:

  • All the organisations had data protection policies and procedures in place, though compliance with the policies wasn’t always effectively monitored, for instance through spot checks.
  • All the organisations had a system in place to track health records, though some did not conduct audits for missing files. The physical security of records also varied, with concern raised particularly around unlocked trollies used for moving files.
  • There was also a lack of simple password controls, notably forcing regular password changes.
  • Some organisations had little in the way of fire or flood protection in place for paper records.
  • All organisations had appropriate information governance related risk registers and risk assessments that were regularly reviewed.
  • Concern was raised around the use of fax machines for sending personal information, given the human error associated with using a fax machine.

Before three of the audits, staff were surveyed about their awareness of data protection policies. 88 per cent of staff had read and understood the policy in place within their organisation, and 94 per cent had completed data protection training within the previous year.

Claire Chadwick, ICO Team Manager in the Good Practice team, said:

“Information about a person’s health tends to be one of the most sensitive types of personal data, and it is clear it must be properly handled.

“Our experiences in these audits suggested that tended to be the case. Only one of the audits suggested a substantial risk of non-compliance with the law, while more than half gave reasonable assurance the law was being complied with.

“By paying attention to this report, more organisations in this sector can ensure they are handling personal information properly. This report is an opportunity to review and improve practices and procedures based on our experiences.”

The audits followed a letter from the Information Commissioner and the Chief Executive of the NHS Sir David Nicholson to chief executives and finance directors within the NHS.

ICO audits are a free service to provide larger organisations with an assessment of whether they are following good data protection practice. They look at whether an organisation has effective policies and procedures in place and whether they are being followed and include recommendations from the ICO on how to improve.

Download the report (pdf)

You can learn more about our audits here:

The ICO has produced data protection guidance for the health sector which is available at: 

Information on good data sharing is available here:

If you need more information, please contact the ICO press office on 0303 123 9070 or visit the website at:

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
3. The ICO is on
Twitter, Facebook and LinkedIn. Read more in the ICO blog and e-newsletter. Our Press Office page provides more information for journalists.
4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with your rights
• Secure
• Not transferred to other countries without adequate protection