NHS organisations are confused about how to ensure junior doctors get data protection training, a report from the Information Commissioner’s Office has found.

The report summarises key findings from 19 audits carried out by the ICO  and looks at how NHS trusts comply with the Data Protection Act.

Although some of the trusts audited demonstrated “good practice” in ensuring all staff have mandatory information governance training, the report says that all 19 NHS organisations were confused over “how to best ensure that junior doctors and medical students completed relevant data protection training.”

Sally-Anne Poole, ICO enforcement group manager said: “if organisations are employing temporary or agency workers into positions that involve the handling [and sending out] of personal information then they must make sure these staff have received adequate data protection training.”

The audit also found that although all the organisations had a system in place to track health records, some did not conduct audits for missing files.

It also raised concerns around unlocked trollies full of patient records being found at several trusts.

“In relation to the security of health records we found disparity in how each organisation protected health records while in records libraries and during transport to wards and outpatient clinics,” says the report.

“We observed files being moved around trusts in trollies; some trusts requested that a member of staff collected the trolley while others delivered the trollies direct to the clinic. The common area of concern was that the majority of these trollies were not locked.”

ICO team manager in the ‘good practice team’, Claire Chadwick, said that a person’s health information is one of the most sensitive types of data, and must be handled accordingly.
“Our experiences in these audits suggested that tended to be the case. Only one of the audits suggested a substantial risk of non-compliance with the law, while more than half gave reasonable assurance the law was being complied with,” she said.

“This report is an opportunity to review and improve practices and procedures based on our experiences.”

The audit also found concerns around the use of fax machines for sending personal information, but says that all organisations had appropriate information governance related risk registers.