The Ministry of Justice (MoJ) has opened a consultation on making health bodies subject to the powers of the ICO to conduct compulsory data protection audits (32-page / 319KB PDF).
Under the Data Protection Act the ICO currently has the power to conduct compulsory data protection audits of central Government departments, but must obtain consent from other organisations before it can investigate their procedures. The ICO has long campaigned for these mandatory auditing powers to be extended and in December 2011 presented a "business case" to the MoJ outlining why it felt compulsory audit powers were necessary in relation to the health sector.
The MoJ has now said that it has been convinced of the need to bring health bodies within the scope of the ICO's compulsory audit powers.
"Simply relying on organisations agreeing to an audit is not sufficient," MoJ said in its consultation paper. "A power of compulsion is needed even if in practice this serves mainly as an incentive to organisations to sign up to a consensual audit. The value of the audit process is clearly illustrated and the extension of the assessment notice power will provide a clear basis for the Information Commissioner to improve data protection compliance in these areas of significant risk."
The MoJ said that the ICO had provided evidence that showed that there are "significant compliance problems" within the NHS. It said that with the health sector facing changing practices through "modernisation", it was important to provide the ICO with the power to conduct compulsory data protection audits of the organisations to mitigate identified risks.
A number of health sector bodies have been the subject of enforcement action by the ICO in recent months. The watchdog had set out its intention to focus on improving health sector compliance in its information rights strategy published at the beginning of 2012. The highest fine the ICO has ever levied on any organisation for a breach of the Data Protection Act was served on Brighton and Sussex University Hospitals NHS Foundation Trust last year. The Trust was fined £325,000 after "highly sensitive personal data" was stolen from a hospital under its control and sold on eBay.
The MoJ's report said that the ICO's power to levy monetary penalties for data breaches is "an effective and important mechanism for ensuring data controllers take compliance seriously and take steps to prevent issues recurring". However, it added that it would also "clearly be ideal for risk areas to be identified and practices to be improved across an organisation long before such serious incidents occur".
The MoJ also said that the ICO had had trouble convincing NHS bodies to engage in consensual audits, even where data protection problems had "occurred, and ... been exposed" by the watchdog's enforcement officers. It said just over half of those bodies (53%) that had been referred for a consensual audit by the enforcement team at the ICO had ultimately agreed to it.
"Where the power to serve an assessment notice exists data controllers can agree to consensual audits without the notice being necessary in each case," MoJ said. "The Information Commissioner has not had to serve an assessment notice to date because 100% of data controllers covered by the existing provisions have agreed to an audit (knowing the option to serve a notice exists if they refuse)."
"The figures [about the NHS bodies' not agreeing to consensual audits] do however demonstrate clearly that without that power to back up requests for access organisations will continue to be reluctant to volunteer. Those data controllers that have something to hide, particularly those who know their processes and controls are insufficient, are perhaps the most likely to want to avoid or postpone closer inspection," it said.
MoJ said that where the ICO had conducted consensual audits it had identified data security problems, including "lockable storage not being used, patient records left in reception trays openly accessible and insecure confidential waste bins" as well as unencrypted sensitive data being held on mobile devices.
Health bodies are being encouraged to give their view on whether the ICO's compulsory audit powers should be extended to their sector. MoJ said it will accept submissions received by 17 May.