Compulsory Data Protection Assessments for the NHS

ICO Assessment Notices

The UK Ministry of Justice is consulting on a proposal to extend the powers of the Information Commissioner to carry out compulsory assessments of NHS bodies’ compliance with the Data Protection Act 1998 and its data protection principles.

It seeks views from NHS data controllers across the United Kingdom. The proposals for compulsory data protection assessment are informed by the Information Commissioner’s experience working with NHS bodies to improve their compliance with data protection law.

This consultation is aimed at NHS data controllers in England, Wales and Northern Ireland bodies and Health Service data controllers in Scotland.

The consultation closes on 17th May 2013.
 

Background to Data Protection Assessments


Data Protection AssessmentsThe NHS is one of the largest data controllers in the UK, processing a huge amount of sensitive personal data on a daily basis. It is therefore important for confidence in the NHS that the public feel reassured that their personal data is being handled in compliance with the Data Protection Act and personal data losses and other breaches that can result in considerable harm and distress are avoided.

The Information Commissioner has requested that the Secretary of State use the Order-making power under section 41A (2)(b) DPA to extend the powers of the Information Commissioner to carry out compulsory assessments of NHS bodies’ compliance with the data protection principles under the DPA.

In support of this proposal compulsory data protection assessments for NHS bodies the Information Commissioner has provided evidence, by way of a business case, which forms the basis of this consultation, and which demonstrates that the NHS is an area within which the use of the assessment notice power would be beneficial and targets all NHS data controllers in England, Wales and Northern Ireland and Health Service data controllers in Scotland.

The Information Commissioner’s Office (ICO) already has the power to assess the following of good practice by NHS bodies, entering with their consent, under Section 51(7) of the DPA. The proposal to move from consensual to non-consensual assessment powers is informed by the ICO’s experience working with NHS bodies to improve their compliance with data protection law and favours a more preventative approach to increasing compliance within the sector.

The designation of NHS bodies would involve no new obligations beyond their existing obligations to comply with the DPA and to that end the Information Commissioner has agreed to work closely with the Care Quality Commission to agree a Memorandum of Understanding to avoid duplication of burden on NHS bodies, ensuring a collaborative approach and providing for the sharing of knowledge and intelligence.

For the most part, this consultation follows the Consultation Principles issued by the Cabinet Office. However, given that this is a sector specific targeted consultation we consider that a reduced consultation period of 8 weeks rather than 12 is appropriate in this instance.

An Impact Assessment has not been completed for this proposal as impact is limited to the public sector and the costs involved are likely to be below £5m per annum.
 

Consultation website