New audit powers for the ICO

New audit powers for the ICO


Author: Aisling Duffy

Applies to: UK wide

As of 1 February, the Information Commissioner's Office (ICO) can force public healthcare organisations to undergo compulsory audits of their Data Protection Act 1998 compliance, a power that previously only applied to central government departments.

Why has this come about?

Healthcare organisations collect and handle significant amounts of sensitive personal data relating to their patients. In recent years they have been the subject of some high profile serious data protection breaches.

These breaches have not only led to NHS Trusts being hit with substantial fines (totalling £1.3million) but have also resulted in affected individuals suffering significant distress.

As with all breaches, the ICO investigated the incidents suffered within the NHS and, in many instances their investigations revealed that the breaches had arisen as a result of systematic failings in relation to how NHS organisations collect and handle personal data.

The ICO has welcomed these new powers which they consider will give the ICO the 'chance to act before a breach happens.'

What do the new powers mean?

These powers will give the ICO the power to enter organisations operating in the public health sector and to carry out an audit of their practices in order to evaluate their current levels of compliance with the Data Protection Act 1998.

The audit process will review, amongst other things, how the NHS handles personal data relating to its patients. In particular, it will look at issues such as data security, records management, staff training and data sharing.

Christopher Graham, the Information Commissioner, said:

'Time and time again we see data breaches caused by poor procedures and insufficient training. It simply isn't good enough.'

It is apparent therefore that the ICO is not prepared to tolerate lax data protection compliance by public healthcare organisations going forward.

What can you do?

If you are an NHS Foundation Trust, GP Surgery, NHS Trust or community healthcare council (or equivalent in Scotland, Wales or Northern Ireland), this could apply to you.

Steps can be taken now to help ensure that your organisation does not become the subject of a forced audit and is not held out as an example by the ICO.

The most effective way of mitigating these risks is to carry out an audit now. This will enable you to get a better understanding of current levels of compliance with your organisation and, in particular, to identify areas of non-compliance which need to be addressed.

If your organisation is not itself caught by these powers but provides services to organisations which are, you may still be affected as such organisations are now likely to demand much more from their service providers.

For further information in relation to how Shoosmiths' Data Protection Team can help you with this process, please contact Aisling Duffy on 03700865089 or [email protected]


This document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given.