The government is looking to make the NHS subject to compulsory data protection audits by the Information Commissioner’s Office.
The ICO can only audit NHS bodies with their consent, but says this is not sufficient and the Ministry of Justice has launched a consultation on a proposal to make them compulsory.
The consultation paper, based on a business case submitted by the ICO, says the NHS is an area where there are already “significant and widespread data protection compliance concerns”.
“The ability to compel data controllers to allow the Information Commissioner to audit their practices is an essential tool to identify and mitigate risks before serious problems occur,” it says.
The document explains that most audits that have been conducted in the NHS have come about as referrals from the ICO’s Enforcement team.
Even in this situation, where a serious data protection problem has occurred and been exposed, organisations can often do not agree to an audit.
Of the NHS organisations referred for audit by enforcement only 53% agreed to it, compared to an average of 71% across the whole public sector.
Over the last six years health has been in the top sector areas where the ICO has received complaints of potential data protection breaches from individuals, rising from 517 in 2007 to 1167 in 2012.
The most common basis for upheld complaints is a failure to comply with an individual’s right of access to their information followed by breaches of security and inappropriate/ unauthorised disclosures of data.
In many cases, breaches have resulted in hefty fines for NHS bodies. The largest was handed down to Brighton and Sussex University Hospitals NHS Trust after highly sensitive personal data belonging to tens of thousands of patients and staff was discovered on hard drives sold on eBay.
“The NHS is one of the largest data controllers in the UK, processing a huge amount of sensitive personal data on a daily basis,” the consultation paper says.
“It is therefore important for confidence in the NHS that the public feel reassured that their personal data is being handled in compliance with the Data Protection Act and personal data losses and other breaches that can result in considerable harm and distress are avoided."
The new powers would affect all NHS data controllers in England, Wales and Northern Ireland and Health Service data controllers in Scotland, but would involve no new obligations on their part.
The consultation will run for eight weeks, with responses due by 17 May.