ICO receives powers to audit NHS

After years of lobbying, the ICO has been given the power to conduct mandatory audits on the National Health Service. The move is a direct result of serious non-compliance in this sector - the ICO has issued fines totalling £1.3m to NHS organisations.

Previously, the ICO could impose audits only on government departments, but it has been collecting evidence and developing a case to support an extension to some categories of data controllers in the NHS and the private sector.

The Information Commissioner has welcomed this change in the law that is effective from 1 February. The ICO will be able to assess the level of data protection compliance by England’s NHS foundation trusts, GP surgeries, NHS Trusts and Community Healthcare Councils, and their equivalent bodies in Scotland, Wales and Northern Ireland under section 41A of the Data Protection Act. The new legislation will not apply to private companies providing services within public healthcare, the ICO says.

Christopher Graham, the Information Commissioner, said: “Time and time again we see data breaches caused by poor procedures and insufficient training. It simply isn’t good enough. We fine these organisations when they get it wrong, but this new power to force our way into the worst performing parts of the health sector will give us a chance to act before a breach happens. It’s a reassuring step for patients.”