New powers of inspection for the ICO


For immediate release: Tuesday, 10 February 2015

Doctors are reminded to ensure they protect patient data as GP practices face compulsory data protection audits, says UK-wide medical defence organisation MDDUS.

This advice comes in light of new powers introduced at the beginning of February that allow the Information Commissioner to enter premises – including GP surgeries – without consent, to audit how the NHS manages patients’ personal information.

Previously, the Information Commissioner’s Officer (ICO) would only undertake compulsory audits in central government departments and consent was required for audits in the NHS.

It is intended that the new legislation will allow the ICO to target poor performing parts of the health sector and act before a breach occurs. As part of the audits, the ICO will review how the NHS handles patient information, data security, record management, staff training and data sharing.

NHS bodies would be required to allow the ICO to enter the premises and permit them to observe the processing of any personal data.

MDDUS adviser Dr Richard Brittain urges practices to have a robust system in place to ensure sensitive patient data is stored and shared securely. “We regularly receive calls from members following data breaches and urge practices to review their systems proactively,” says Dr Brittain.

“As increasing amounts of patient information are stored and transmitted electronically, so the risks of confidentiality breaches also increase. The introduction of online patient access to medical records will likely further increase these risks.

“Doctors must be satisfied that there are appropriate security arrangements in place and consider the potential for data breaches in all electronic communications with patients and colleagues involving confidential patient data.

“Encryption can reduce some of the risks but no system can be completely secure. Doctors should never store identifiable data on personal computers.”

There should be sufficient IT support and training available for practice staff to ensure the safety of systems in operation. “It is more important than ever for doctors and healthcare professionals to familiarise themselves with policies and procedures issued by their employer or contracting body which are designed to protect patients’ privacy,” adds Dr Brittain.

“Doctors have a duty to protect confidential patient data under GMC guidance as well as the Data Protection Act 1998, which requires information to be fairly and lawfully processed.”

The ICO has powers to impose monetary penalties, issue undertakings or even launch criminal proceedings against organisations and individuals who fail to protect private data. To date, the ICO has issued fines to NHS organisations totalling £1.3 million. “A breach of data protection can result in serious consequences and adversely impact patient trust,” says Dr Brittain.

“Any data breaches should be reported straightaway to a senior colleague so that action can be taken to investigate the cause and prevent further breaches. Consideration should be given to informing the ICO of any breach and it is advisable to contact your medical defence organisation for advice.”

More details can be found on the ICO website.


For further information contact Richard Hendry on 0845 270 2034 or 07976 272266, or email

Note to editors

MDDUS (The Medical and Dental Defence Union of Scotland) is a medical and dental defence organisation providing access to professional indemnity and expert medico- and dento-legal advice for doctors, dentists and other healthcare professionals throughout the UK.

For further information on MDDUS go to

This page was correct at the time of publication. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.

For registration, or any login issues, please visit our login page.