Sign up for our newsletter
Technology / Cybersecurity

NHS faces data security audit from ICO

The NHS will have to face data auditing from the Information Commissioner’s Office (ICO) following a change in the Data Protection Act.

Public healthcare organisations were previously exempt from a compulsory audit, but will be obliged to face a review of how they handle the storage, sharing and training around patients’ personal information, just like central government departments, if the ICO demands it.

Christopher Graham, the Information Commissioner, said: "The health service holds some of the most sensitive personal information available, but instead of leading the way in how it looks after that information, the NHS is one of the worst performers."

"This is a major cause for concern. Time and time again we see data breaches caused by poor procedures and insufficient training. It simply isn’t good enough."

White papers from our partners

Fines worth £1.3m have been handed out to the NHS by the ICO for data protection missteps in the past, and a report from Big Brother Watch last year estimated the service was suffering as many as six breaches a day.

The updated regulations will allow the office to assess data security in trusts, GP surgeries, foundation trusts and healthcare councils throughout the UK, but will not apply to private companies contracted to provide services within the NHS.

"We fine these organisations when they get it wrong, but this new power to force our way into the worst performing parts of the health sector will give us a chance to act before a breach happens," Graham added. "It’s a reassuring step for patients."

Public bodies claim a substantial proportion of the fines issued by the office due to the sensitivity of the data they handle and EU law which mandates multinational firms be investigated by the country their European headquarters is located in if there is a breach across multiple territories.


This article is from the CBROnline archive: some formatting and images may not be present.