Over £1 million spent by NHS trusts on GDPR preparation, FOI reveals

Cyber Security, News

  • 16 April 2018
Over £1 million spent by NHS trusts on GDPR preparation, FOI reveals
Owen Hughes
October 24, 2017

Freedom of Information (FOI) requests sent to NHS trusts in England reveal that more than £1 million has been spent preparing for the General Data Protection Regulation (GDPR).

Parliament Street issued freedom of information (FOI) requests in February 2018 asking trusts to disclose their total GDPR expenditure to date, projected expenditure for the year ahead as well as details about how the money was being put to use.

Within its results, Luton and Dunstable proved to have invested the most in GDPR implementation, having set aside £111,200 for staff support and training. This was followed by Lincolnshire Partnership NHS Foundation Trust, which has spent £106,915, including £1,755 on “specialist training”.

South Central Ambulance Service and St George’s University Hospitals both set aside £95,000 for GDPR respectively. This was followed by Sheffield Teaching Hospitals (£78,000) and Dorset HealthCare University NHS Foundation Trust, which reported to have spent £70,000 on a “GDPR specialist” over a course of six months, supported by staff training.

Meanwhile, the Christie NHS Foundation Trust spent £54,000 on an information security management system and consultancy resources.

Other trusts have been more thrifty in regards to their GDPR spend, due to budgetary constraints or otherwise.

Derby Teaching Hospitals, for example, reported to have allocated just £500 toward preparing for the new regulations.

Alder Hey Children’s NHS Foundation Trust said it had spent £553 on practitioner training, whereas Cheshire & Wirral Partnership said it had spent £662 on training along with an exam.

Goodmayes Hospital, part of North East London NHS Foundation Trust, spent £500 on GDPR preparation, with an extra £70 a month going towards “a secure email system for sending patient records.”

GDPR introduces tighter measures around citizen data privacy, with organisations who fail to comply facing heavy fines.

In total, Parliament Street’s report showed that £1,076,549 had been spent by NHS trusts to ensure data security practises are up-to-scratch before the 25 May deadline.

However, only 46 trusts replied to the think tank’s FOI request, representing just over a fifth of all NHS trusts in England.

While this suggests that the total spend on GDPR could be considerably higher, research from Digital Health Intelligence conducted in 2017 found that only around half of NHS trusts in England have an implementation plan for the new regulation.

To increase these numbers, Parliament Street suggested that a national GDPR implementation strategy be established by the NHS that brings together CEOs and CIOS, in order to ensure consistency between trusts.

It also called on the government to provide  “dedicated legal advice in the form of solicitors and specialist counsel to enable all trusts to gain free consultancy on implementation.”

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Prev News

Double robot surgery carried out at The Royal Marsden Hospital

Next News

The cloud: a catalyst for innovation and collaboration in healthcare

Related News

When is your data anonymous?
AI and Data April 26, 2022

When is your data anonymous?

In a joint piece for Digital Health, Paul Affleck and GP Dr Imran Khan, explore the recent care.data and GPDPR programmes and when health data…
‘Majority’ of NHS trusts lack training for video conferencing
News January 17, 2020

‘Majority’ of NHS trusts lack training for video conferencing

An FoI request to 80 NHS trusts found that 56% did not have training programmes in place to ensure staff were using video conferencing systems…
‘More than half’ of NHS trusts engaged in AI projects, report suggests
News December 18, 2019

‘More than half’ of NHS trusts engaged in AI projects, report suggests

Data obtained by NetApp found that 52% of trusts were deploying AI technologies, with a further 16% planning to roll them out within the next…

8 Comments

  • Man says:
    29 April 2018 at 6:36 PM

    great stuff

  • CertDocKits says:
    16 April 2018 at 9:16 PM

    You can download all the documentation needed from CertDocKits.com

  • Howard Walker says:
    16 April 2018 at 5:06 PM

    Most companies are making too much fuss on GDPR. Handled sensibly, it needs little work to ensure that they comply. The problem with most health service it systems is that they are written by American companies, who chrage the earth for any minor changes. Typical of most government departments. I bet that the Inland Revenue does not comply. I have had no request from them to give my permission for them to email me.

    • Bill says:
      16 April 2018 at 9:01 PM

      Im not sure if you know a lot about GDPR or a little. The reason I suspect noone will get a consent email from HMRC is because ‘legitimate business’ is the lawful basis of them processing your data and informing you about your account.

      Properly implenting GDPR is important in today’s letigious culture. I’m waiting for the phone calls ‘have you been involved in a consent violation’ aka you got an email from a company to whom you didn’t consent explicitly. (to which I’ll reply, how did you get my number!!)

  • Adrian Parker says:
    16 April 2018 at 9:34 AM

    FOI does reveal some interesting results. The NHS see http://www.nhsconfed.org/resources/key-statistics-on-the-nhs is a large entity and £1M on GDPR suggests that each NHS body must already be ISO 27001 (or similar) compliant else there is a large problem lingering. With ISO 27001 in place additional spending for GDPR compliance would infer to me that spend is required for DPOs to verify compliance and bridge gaps likely to be found more in the digital arena than with internal training. That said GDPR compliance is a full of gotchas’ and any fine is worth avoiding with some investment to ensure that our NHS looks after our data correctly would be a good thing.

    Much of the NHS uses SQL Server Data Warehouses and the automation of these, including GDPR compliant documentation is possible with automation tools such as TimeXtender which will can make the NHS savings and compliant. Oddly their is still a reluctance to adopt, even though there is a shortage of DBA’s and the cost of these is therefore increasing. No different to medical staff shortages.

    GDPR could actually create negative spend if the right solutions are deployed and associated benefits identified as such. Automation is key to compliance and efficiency.

  • Ewan Davis says:
    16 April 2018 at 8:00 AM

    It’s generally acknowledged that a typical NHS Trust will have in excess of 1,000 IT systems that might be processing patient data – The majority of these are the so called Feral or Shadow IT systems created “under the radar” because the corporate systems can’t meet users needs.

    I challenge any NHS Trust to demonstrate they can identify all such systems, let alone which patients data they may store?

    This situation means that organsations are probably unable to comply with current regulations let alone the GDPR.

    Think about whether you organisation could answer a letter like this one here https://www.linkedin.com/pulse/nightmare-letter-subject-access-request-under-gdpr-karbaliotis/ – In my wickeder moments I toy with sending a version to those NHS organsiations that I know have some of my personal data and waiting for the feathers to fly.

    Given this the spending on preparation seems woefully inadequate

    • Dr Neil Bhatia says:
      16 April 2018 at 9:20 AM

      I think the ability to confidently respond to such a letter should be taken as a “GDPR compliant” marker. I’m certainly using that letter as a “worklist” in my organisation.

  • Kev says:
    16 April 2018 at 7:05 AM

    Wonder how much they spend on answering FOI’s…

Comments are closed.