Ministry of Justice consultation on compulsory DPA audits for NHS bodies

The consultation paper asks one single question: "Do you agree that the Information Commissioner should be given powers under the Data Protection Act 1998 to carry out non-consensual assessments of data of NHS bodies for compliance with the Act?"

The ICO already has such powers over some data controllers within central government. In early 2012 the commissioner proposed that these powers be extended to the NHS. His belief is that the existence of such powers will not require the use of such powers. The experience with central government "tells me that the existence of a compulsory audit power is a strong driver in persuading data controllers to sign up to a consensual audit," he wrote. The theory is that knowledge of the possibility of a compulsory audit will focus data controllers on better compliance with the Data Protection Act.

The new consultation is in response to this proposal, existing concerns over the level of DPA breaches within the NHS (often involving very sensitive personal and health information), and the imminent structural changes on the NHS. These changes will involve the transfer of NHS responsibility from Strategic Health Authorities and Primary Care Trusts to new Clinical Commissioning Groups (CCGs) from April 2013.

"As these reforms bed in, and organisational responsibilities change and personal data is transferred, every effort should be made to ensure data protection risks do not increase," says the consultation paper.

"In particular," it concludes, "the ability to compel data controllers to allow the Information Commissioner to audit their practices is an essential tool to identify and mitigate risks before serious problems occur... A power of compulsion is needed even if in practice this serves mainly as an incentive to organisations to sign up to a consensual audit."

The consultation opened on March 25 and will run until May 17.

What’s hot on Infosecurity Magazine?