Information Commissioner's Office
|Printable version||E-mail this to a friend|
ICO given new powers to audit NHS
“Data breaches by the NHS are a major cause for concern - this will give us a chance to act before a breach happens”
The Information Commissioner has welcomed a change in the law that will give his office the right to force NHS authorities to be audited for compliance with the Data Protection Act.
From 1 February, the ICO will be able to subject public healthcare organisations to a compulsory audit. These compulsory audits have previously only applied to central government departments.
The audits review how the NHS handles patients' personal information, and can review areas including security of data, records management, staff training and data sharing.
The ICO will be able to assess data protection by England’s NHS foundation trusts, GP surgeries, NHS Trusts and Community Healthcare Councils, and their equivalent bodies in Scotland, Wales and Northern Ireland under section 41A of the Data Protection Act. The new legislation will not apply to any private companies providing services within public healthcare.
Christopher Graham, the Information Commissioner, said:
“The Health Service holds some of the most sensitive personal information available, but instead of leading the way in how it looks after that information, the NHS is one of the worst performers. This is a major cause for concern.
“Time and time again we see data breaches caused by poor procedures and insufficient training. It simply isn’t good enough.
“We fine these organisations when they get it wrong, but this new power to force our way into the worst performing parts of the health sector will give us a chance to act before a breach happens. It’s a reassuring step for patients.”
The ICO has issued fines totalling £1.3m to NHS organisations.
Notes to Editors
- The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
- The ICO is on Twitter, Facebook and LinkedIn. Read more in the ICO blogand e-newsletter.Our Press Office page provides more information for journalists.
- Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Not transferred to other countries without adequate protection
If you need more information, please contact the ICO press office on
0303 123 9070 or visit the website at: www.ico.org.uk.
Latest News from
Information Commissioner's Office
ICO warns UK firms to respect customers’ data wishes as it fines Flybe and Honda27/03/2017 14:20:00
Two companies have been fined a total of £83,000 for breaking the rules about how people’s personal information should be treated when sending marketing emails.
ICO statement in relation to the potential risk to patient medical records held by GPs on TPP SystmOne21/03/2017 16:20:00
ICO has yesterday given a statement in relation to the potential risk to patient medical records held by GPs on TPP SystmOne.
Information Governance Survey: What councils need to do now21/03/2017 14:10:00
Blog posted by: Anulka Clarke, ICO Head of Good Practice, March 20, 2017.
Council fined for leaving sensitive files in cabinet sent to second hand shop21/03/2017 10:05:00
A county council which left files that included sensitive information about children in a cabinet sent to a second hand shop has been fined £60,000 by the Information Commissioner’s Office (ICO).