The Information Commissioner’s Office (ICO) now has the right to force audits on NHS authorities to ensure they comply with the Data Protection Act.
The ICO’s powers result from a Designation Order ruling that the information commissioner may serve notice to public authorities – including National Health Service organisations – in conjunction with section 41A of the Data Protection Act 1998.
“The National Health Service holds some of the most sensitive personal information available but, instead of leading the way in how it looks after that information, the NHS is one of the worst performers. This is a major cause for concern,” said Christopher Graham, the information commissioner.
“Time and time again we see data breaches caused by poor procedures and insufficient training. It simply isn’t good enough.”
These changes in law mean the ICO can now investigate all public healthcare organisations, where previous audits only applied to central government departments.
This gives the ICO the ability to audit NHS foundation trusts, GP surgeries, NHS trusts and community healthcare councils and assess their data protection protocols.
Read more about data privacy
NHS fails in data protection
The ICO can assess how these authorities use patient information, including data security standards, record management, data sharing and staff training. But this does not apply to external private companies providing services used in public healthcare organisations.
The ICO has issued NHS organisations fines totaling £1.3m for offences such as data protection breaches, improperly disposing of confidential information and sharing private data with other organisations without proper consent.
Graham said: “We fine these organisations when they get it wrong, but this new power to force our way into the worst performing parts of the health sector will give us a chance to act before a breach happens. It’s a reassuring step for patients.”
Care.data scheme raises concerns
The NHS's use of data has been under scrutiny recently following plans to implement the care.data scheme, whereby patient records and data are uploaded by GPs to a central system, where they can be can be shared across the NHS.
But this has caused widespread concern over patient data privacy as, once care.data is implemented, there will be no way for patients to control who has access to their medical records or how they use the information.
The biggest cause for concern is whether anonymised data – which will be sold to external organisations to recognise health patterns in particular datasets – could be interpreted to find the original patient’s name and details.
In 2014 the project was delayed by six months. An NHS England spokesman said the delay was to “allow more time to build understanding of the benefits of using the information, what safeguards are in place, and how people can opt out”.