The Information Commissioner’s Office certainly has teeth these days and it is not afraid to use them. “I think we are showing that in our recent activity,” acknowledges ICO head of enforcement Stephen Eckersley.
The ICO is the nation’s information watchdog. Or, as it puts it on its website, it is “the UK’s independent public authority, set up to uphold information rights.”
It oversees a number of pieces of legislation, including the Data Protection Act 1998 and the Freedom of Information Act 2000, and works by advising individuals and promoting good practice, as well as by “taking appropriate action when the law is broken.”
The extent of that appropriate action was increased dramatically in 2009, when the ICO won the power to impose penalties of up to £500,000 for breaches of the DPA.
In guidance issued in January 2010, it said it would use this power if there was a “serious” breach of the act, if the breach caused “substantial” damage or distress, if the breach was “deliberate” or if the data controller failed to take “reasonable steps” to prevent it.
It was always likely that the NHS would feel the force of these powers, as several of the examples of what might constitute a “serious” breach and “substantial” distress related to medical records. Yet, for two years, the ICO continued to issue advice and notices to trusts that did breach the DPA to improve.
Five fines in five months
Then, in April, Aneurin Bevan Health Board was fined £70,000 for emailing a report about the treatment of a mental health patient to the wrong person. A consultant emailed a letter to a secretary for formatting without proper identifiers, and the secretary chose the wrong patient from the EPR system.
The following month Central London Community Healthcare NHS Trust was handed down a penalty of £90,000 after a member of staff repeatedly faxed patient lists to the wrong recipient. This time, the ICO noted that not only did the trust have poor procedures and checks but that it had failed to consider alternatives such as “secure email.”
In June, Brighton and Sussex University Hospitals NHS Trust was issued the highest ever fine by the ICO. It was penalised £325,000 after a contractor paid to destroy hundreds of hard drives instead sold them on eBay.
That same month, Belfast Health and Social Care Trust was fined £225,000 after a photographs of staff and patient records from an abandoned hospital appeared on the internet.
In July, St George’s Healthcare was fined £60,000; once more because letters were sent to the wrong address. And just this week, Torbay Care Trust was fined £175,000 after hundreds of staff details were inadvertently posted on its website.
Eckersley says there was no “cooling off period” that prevented the ICO from issuing fines for two years. Instead, he tells eHealth Insider it took that long for cases to come through that warranted a financial penalty.
“With any new legislation is does take time to apply it,” he explains. “It wasn’t a case of teeing cases up.”
Sticks – and carrots
Eckersley says that before the ICO was given the power to fine data controllers there was “no real deterrent” for organisations not to breach the DPA.
Monetary fines not only have cost implications, but damage an organisation’s reputation. The loss of patient information is particularly likely to hit the headlines of local papers, he points out.
As a result, since the power to impose fines came into force, trusts have taken the ICO more seriously. Despite this, Eckersley is keen to emphasise that his office is using the carrot as well as the stick.
“We see ourselves as regulators, but equally we are there to educate and influence and support organisations,” he says.
For example, if a trust’s senior risk officer is concerned about a particular area they can ask for a voluntary audit, at the end of which the ICO provides tailored internal advice.
The ICO audit team has been expanded to conduct more voluntary audits and 12 NHS-related audit reports are on the office’s website site.
Getting to the board
Eckersley says the ICO is also starting to do more work on following up with organisations that have signed undertakings not to breach the DPA again, to make sure the work detailed in the undertaking is completed. Health is one of the areas being targeted in this process.
The ICO also provides plenty of educational material, holds workshops, and invites data compliancy officers to its data protection conference.
“Some of the feedback we get from that is quite positive in terms of how to mitigate against risk, and it helps data protection officers to elevate the threat of non-compliancy up to the senior management team; which is important,” he explains.
While executive teams can be wrapped up in performance measures, Eckersley argues that one of those measures should focus on data protection. However, he thinks that the approach of NHS trusts to information governance is “moving in the right direction.”
“There have been significant improvements; we have seen that from our audits and feedback from data protection officers and data controllers.
“The feedback from data protection officers is that they are being taken much more seriously and finding it easier to elevate problems and threats to senior management teams,” he says.
On the other hand, there’s no doubt that the stick is having an effect. “It’s much more important for executive teams now because of the threat of reputation and monetary penalty.”
Barriers and enablers
Trusts that find themselves in breach of the DPA tend to attract little sympathy. Brighton and Sussex Healthcare NHS Trust, for example, is appealing to the Information Tribunal against its fine, on the grounds that it “simply cannot afford to pay” – and it was the victim of a theft of its hard drives.
However, even commenters on the EHI website – who might be expected to be more sympathetic to its plight than, say, local people – asked why it had data stored on hard drives and why it hadn’t taken much more care over its disposal.
Despite this, there is a counter concern that the DPA, and concern about information governance, is too often used as a barrier to information sharing, rather than a safeguard.
“I see the argument from both sides,” says Eckersley. “The legislation was never introduced to be a barrier. It should be an enabler.
“But the most important thing is if there is a barrier to information sharing is that the relevant parties discuss the issues, identify what the barriers are, then establish whether there are any legal gateways they can use to share the information.
“If they haven’t got gateways, perhaps they should consider having an information sharing agreement that’s compliant with the Act.”
Eckersley believes an idea that is now in the mix – an independent panel to look at local applications for data sharing – is a good one.
He says the ICO can also be used as a backstop, to take a view of whether information sharing processes would be compliant.
“That’s definitely one of the ideas, to have panels like that to elevate this up to the senior management teams,” he says.
Finding clarity in chaos
Health is one of four priority areas that are now a focus for the ICO because of the nature of the sensitive information being processed and potential impact if confidentiality is breached.
As the NHS transitions into a new commissioning environment, the risk of information governance and data protection responsibilities being lost in the mayhem is not lost on the watchdog.
Eckersley says its liaison team is working with the health sector during the transition to get a better understanding of the systems in place and responsibilities for data protection within teams.
He advises that data protection should be elevated on to the risk register during this period of change. Even simple things like moving offices in which files are kept in a cabinet necessitates somebody taking responsibility for them – and making sure they are not left lying around for vandals to find them, as happened in Belfast.
Overall, though, he says the principles of data protection are clear. “This is about making sure we have clear lines of responsibility and clear systems and processes in place about who has access to the data and who needs training.”