NHS data controllers have been put on notice by the Information Commissioner to ensure they have appropriate systems and controls in place to protect patient data – as NHS organisations, including GP practices, now face compulsory data protection audits.
The new powers allow the Information Commissioner to enter premises – where necessary without consent – to audit how the NHS manages personal patient information. In the past the Information Commissioner’s Office (ICO) could only undertake compulsory audits in central government departments and consent was required for any audits in the NHS.
The new legislation is designed to allow poorly performing parts of the health sector to be targeted and remedial action put in place before a breach occurs. The ICO will review how the organisation handles patient information, data security, record management, staff training and data sharing.
At MDDUS we regularly receive calls from members following data breaches and would therefore urge practices to review their data protection arrangements proactively to ensure they are robust and secure. This should include addressing areas such as appropriate IT support and training for staff, including areas of policy and procedure, rather than just the day-to-day practical processing of patient information.
The ICO has extensive powers to impose monetary penalties, issue undertakings or even launch criminal proceedings against organisations and individuals who fail to protect private data. To date, the ICO has issued fines to NHS organisations totalling £1.3 million. In this respect the addition of compulsory auditing powers may be seen as a more benevolent intervention, in that it can provide not only reassurance about areas of good practice but also provide the data controller an opportunity to remedy any defects before more draconian action is undertaken.
Needless to say, any data breaches should be reported straightaway to a senior individual so that appropriate action can be taken to investigate the cause and prevent further breaches. Consideration should also be given to informing the ICO of any breach and it is advisable to contact your medical defence organisation for advice. MDDUS has been looking at some of the issues that ICO audits have so far uncovered and highlighted within healthcare provider organisations, and the scope and range of these are quite diverse. They have included:
- Information governance (IG) policies found to be outside of stated review dates.
- Adverse events identified when they occurred but then delays of four to six weeks before details were entered onto incident-management databases, resulting in delayed investigations and outcomes.
- Information asset registers (IAR) to record key information assets found to be incomplete: for example failure to include manual patient records or medical devices and other equipment possibly holding personal data.
- Poor security in the storage of paper records.
- No routine reviews of access to patient records, nor any routine exception reporting in place.
- Ignorance among staff of who the policy or IG lead person is and how to make use of them – even when organisations have a system for disseminating and updating policies.
The scope of issues discovered through the use of audit can be quite varied and can highlight areas that data controllers may not have previously considered as particularly relevant or important. The clear message is that information governance is about far more than just making sure that patient information is processed securely and confidentially – and the ICO is clearly raising the bar in terms of expectation.
ACTION: All data controllers should consider whether their current systems and policies would stand up to the scrutiny of an external audit undertaken by the ICO. Seek early assistance from information governance leads, Caldicott Guardians or MDDUS.