UPDATE: 03.02.15 GPOnline have commendably now amended their piece on this END UPDATE
GPOnline warns its readers today (02.02.15) that
GP practices face compulsory audits from this month by the information commissioner to check their compliance with data protection laws, and could be fined heavily if they are found to have breached rules.
While it’s good that it is on the ball regarding the legal change to the Information Commissioner’s Office (ICO) audit powers, it is, in one important sense, wrong: I can reassure GP practices that they are not risking “fines” (more correctly, monetary penalty notices, or MPNs) if breaches of the law are found during an ICO audit. In fact, the law specifically bars the ICO from serving an MPN on the basis of anything discovered in the process of an audit.
Under s41A of the Data Protection Act 1998 (DPA) the ICO can serve a data controller with a notice “for the purpose of enabling the Commissioner to determine whether the data controller has complied or is complying with the data protection principles”. Until yesterday, this compulsory audit power was restricted to audits of government departments. However, the Data Protection (Assessment Notices) (Designation of National Health Service Bodies) Order 2014, which commenced on 1 February 2015, now enables the ICO to perform mandatory data protection audits on NHS bodies specified in the schedule to the Order. Information Commissioner Christopher Graham has said
We fine these organisations when they get it wrong, but this new power to force our way into the worst performing parts of the health sector will give us a chance to act before a breach happens
And I think he chose those words carefully (although he used the legally inaccurate word “fine” as well). Section 55A of the DPA gives the ICO the power to serve a monetary penalty notice, to a maximum of £500,000, if he is “satisfied” that – there has been a serious contravention of the DPA by the data controllers and it was of a kind likely to cause substantial damage or substantial distress and the data controller knew or ought to have known that this would happen. However section 55A(3A) provides that the ICO may not be so “satisfied”
by virtue of any matter which comes to the Commissioner’s attention as a result of anything done in pursuance of…an assessment notice
This policy reason behind this provision is clearly to encourage audited data controllers to be open and transparent with the ICO, and not be punished for such openness. GP practices will not receive an MPN for any contraventions of the DPA discovered during or as a result of a section 41A audit.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.