NHS to face compulsory data protection audits

published 5 March 2014

The NHS could soon face compulsory data protection audits, as the Government pushes ahead with plans to improve the health service's handling of patient data.

The plans were outlined by Simon Hughes, minister of state for justice and civil liberties, during an address earlier this week at the Information Commissioner's Office's (ICO) Data Protection Practitioner Conference.

Hughes, who only took up his current Government role two months ago, said the NHS is being targeted because of the large amounts of sensitive data it regularly handles.

"We have recently conducted a consultation on extending the ICO's powers of compulsory audit to NHS bodies. This requires secondary legislation which we plan to introduce before the summer recess so that the power can come into effect by the autumn," said Hughes.

"We have chosen the NHS as it is one of the largest data controllers in the UK, processing huge amounts of sensitive personal data on a daily basis."

The practice could also be extended to other industries, added Hughes, depending on how its work with the NHS goes.

"We will work closely with the ICO to monitor the effectiveness of these powers before considering whether we might extend them to other sectors that process large amounts of personal data in their day-to-day business," he continued.

The news will be music to the ears of data protection and privacy experts who have regularly rounded on the NHS for its haphazard approach to information security.

In recent years, this has resulted in various NHS Trusts being subjected to massive fines from the ICO for data protection breaches, with Brighton and Sussex University Hospitals NHS Trust receiving a record 325,000 penalty in June 2012.

At present, the onus is on organisations that suffer data breaches to report them to the ICO, so the introduction of compulsory audits could result in a marked uptick in the number uncovered.

Hughes also used his presentation to outline other changes to data protection enforcement the Government is mulling over, including the introduction of tougher sanctions against organisations that breach the Data Protection Act.

Companies that infringe on the Data Protection Act can find themselves subjected to fines of up to 500,000.

However, the introduction of custodial sentences for Data Protection Act rule breakers has also recently been mooted.

"Serious misuse of personal data by any sector causes significant distress and damage to ordinary citizens and undermines public trust in public institutions and business which in turn can undermine economic growth," said Hughes.

"That is why in the last few weeks we have begun to review the sanctions available for breaches of the Act so we can decide whether to increase the penalties as the law permits."

Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.