Data Protection audits in the NHS

Do the results of an anonymous survey into data protection practices and attitudes of junior doctors provide justification for compulsory audits?

In March of this year the Ministry of Justice announced a consultation to consider whether the Information Commissioner’s Office (ICO) should be given powers to require NHS bodies to submit to compulsory audits by the ICO of their data protection practices. The required statutory designation, under section 41(2)(b) of the Data Protection Act 1998 (DPA) would mean that “public authority data controllers within National Health Service Bodies (NHS) in England, Wales, Scotland and Northern Ireland” would be added to central government departments in the group of data controllers subject to these compulsory audits.

Given the nature of the personal data it deals with the NHS is clearly a high risk area, and has been subject, particularly over the last two years, to significant enforcement action by the ICO. The Information Commissioner himself, Christopher Graham, said in 2011

There’s just too much of this stuff going on. The senior management is aware of the challenge but the breaches continue. Whether it’s a systemic problem in the NHS or an epidemic we have got to do something about it. Health service workers look after their patients very carefully but don’t always look after their data very carefully

In some ways these compliance problems might be seen as surprising: all NHS bodies are required to comply with the comprehensive and demanding IG Toolkit and in my experience there are some extremely skilled and dedicated people working in the field of NHS information governance.

This makes the findings of a small, but significant, study at two hospitals of the attitudes and practices of junior medical staff towards security of patient identifiable information particularly concerning. And, perhaps, the justification for compulsory ICO audits is made out.

The study, published in the Journal of Patient Safety, involved asking 50 junior medical staff across two unnamed district general hospitals to complete an anonymous questionnaire aimed at assessing

the physicians’ current practice as well as their awareness of the Data Protection Act and Caldicott principles with respect to storage and disposal of patient identifiable information.

The results are dismaying: they include

Sixty-two percent of physicians surveyed held patient identifiable information electronically, outside of normal NHS use. Thirty percent of physicians used portable memory sticks, of which, 68% were not password protected. Ninety percent of physicians used patient ward lists in paper format with 18% frequently using a domestic waste bin for disposal

and in a small number of cases data was said to have been stored on personal computers.

All of these practices in themselves constitute serious contraventions of the DPA. In the event that they might give rise to loss or theft of data they would undoubtedly result in strong enforcement action by the ICO, probably in the form of a monetary penalty notice (MPN) which can be to a maximum of £500,000.

A number of questions come to mind. Is such wholesale disregard of fundamental data security and patient confidentiality reflected throughout the NHS? Is it specific to these two unnamed hospitals? Is it restricted to or worse with clinicians? or certain categories of clinician? And how do the principles of the IT Toolkit match up to reality in the clinical environment in a busy hospital?

Perhaps these are questions that can be answered in a compulsory ICO audit.


Filed under Data Protection, Information Commissioner, NHS

4 responses to “Data Protection audits in the NHS

  1. FOI Kid

    My reply became so long that I posted it on my blog, rather
    than filling yours with my thoughts:

  2. Normski

    As an IG manager working in the NHS I am all too aware that
    whilst most organisations are saying they are 100% compliant and
    back this up with a satisfactory IG toolkit score this hides the
    real truth. For a start of the NHS organisations who have been
    issued a financial penalty by the ICO most of them had satisfactory
    toolkit scores. The experts (the IG managers like myself) are often
    pressurised into making the toolkit score look good by collecting
    bits and pieces of evidence which whilst they satisfy the toolkit
    go absolutely nowhere in terms of proving IG compliance. Whilst in
    theory the IG toolkit should be a good indicator in most cases it
    is purely a tickbox exercise. Where this is not backed up is by the
    staff who may read the polices but choose to do their own thing
    anyway. As a service the NHS is not on top of technology and it is
    so much easier for junior docs bought up in a facebook and twitter
    world to carry on using a similar approach to their work, and want
    to have instant access and instant sharing – something most NHS IT
    systems just do not provide. I know of some organisations who score
    level 3 across all requirements but haven;t even got half the
    policies in place – maybe a bit of “poetic licence”. So yes a n
    indepenadnat audit might help – but don’t simly audit the toolkit
    get out there and talk to people. OF course the last time i heard
    there were not enough ICO staff to audit every NHS organisation in
    the country – maybe a job opportunity there then!

  3. Marwan Habiba

    Clearly, contravening DPA cannot be accepted, but in order
    for it to be addressed constructively, the questions are why it
    happens and on that scale? This is not a question of justification,
    but there is a need to understand to what purpose this happens in
    order to devise appropriate educational tools, alternative IT
    solutions or sanctions. Responsibility for this should rest with
    NHS employing organisations and IT departments who should reassure

  4. I have not worked in the NHS but having trained within a number of NHS organisations, and discussed the toolkit with those at the sharp end, I would echo Normski’s comments. The feeling in each of my sessions was along similar lines.
    1. On its own the toolkit is an excellent and thorough piece of work.
    2. The process behind the toolkit unfortunately becomes an end and a distraction in its own right
    3. This leads to a lack of focus on the important – effort being put into completing parts of the toolkit rather than prioritising fixing what is wrong
    4. The process therefore ties up experienced and scarce resources which in reality would be better employed doing the job rather than satisfying the bureaocracy

Leave a Reply to Marwan Habiba Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s