The health sector continues to be a priority area for us. In the last year alone we have served monetary penalties totalling over a million pounds on health service organisations who have committed serious breaches of the Data Protection Act. Many of these breaches have resulted in the loss of patient data, the majority of which could have been avoided if adequate policies and procedures had been in place and properly implemented. This is why it is vital that we continue to help and support the organisations involved in the new NHS framework to make sure they are fit for purpose.
Now that the provisions set out in the Health and Social Care Act 2012 have become a reality new systems and processes are being put in place for the health service in England. Primary Care Trusts and Strategic Health Authorities are out and organisations such as NHS England (formerly NHS Commissioning Board) and Clinical Commissioning Groups are in.
For over a year, we have been working with key stakeholders such as the Department of Health and the National Information Governance Board to ensure new bodies, and those which have now been disbanded, fully appreciate what is required in order for them to comply with the Data Protection Act, as well as meeting their legal requirements when responding to freedom of information requests.
This work has covered issues such as determining who the data controller is for the new Clinical Support Units, now NHS England, and for the Data Management Integration Centres, which will become part of the Health and Social Care Information Centre and assume the responsibilities of data controller.
Privacy impact assessments
Our work has involved numerous meetings and workshops where we have gathered information about the new framework and advised those present on information governance issues. We have recommended that, where appropriate, organisations undertake privacy impact assessments and make sure the personal information they are processing is kept secure and is being handled in compliance with the eight principles of the Data Protection Act.
We have also encouraged all those involved in the new framework to fully inform the public what they do and to be transparent about what, why, how and when they collect and use data. They should also provide individuals with a means of contacting them in case they have any outstanding concerns.
The changes have also presented unique challenges for our own office. We have numerous ongoing issues, complaints and investigations relating to bodies that are now disbanded. We will continue to pursue these cases with the organisations that have taken on accountability and the legal liabilities of their predecessors. This will ensure that lessons continue to be learned and failings are recognised.
We have published some FAQs which answer many of the queries we have been receiving from those working in the health service and the wider public.
Data sharing challenges
However, a number of issues still need to be ironed out. We continue to have reservations about the sharing of data between health bodies. Too often the Data Protection Act is used as a barrier to sharing data when in reality, if used correctly, it can be an enabler to safe, appropriate and beneficial sharing. Ensuring organisations understand why, when and how to share remains a priority for us. We are confident that the upcoming report from the Information Governance Review will assist in facilitating and supporting our efforts in this area.
Several GPs have also recently contacted our office concerned that they are being asked to supply information to the Health and Social Care Information Centre, via third party contractors. They have concerns that patients are not being told that their information will be shared in this way and that they will be in breach of the Data Protection Act by sharing their data.
A data controller has a legal obligation to ensure that it is complying with the Data Protection Act when sharing personal information – our data sharing code of practice provides guidance on how this can be achieved. However, from the start of this week the Health and Social Care Information Centre has the power under s259 of the Health and Social Care Act ‘to require and request provision of information’. We are now working closely with the Health and Social Care Information Centre and others to determine whether this power relieves a data controller from their obligations under the Data Protection Act. Either way, the information must be sought from the data controller and not from a third party data processor, which does not have the right to provide the information without instruction from the controller.
So in summary, we have certainly been busy during the last few months and expect this to continue as these changes bed in. We will continue to support organisations across the health service – including those in England affected by this month’s changes – to make sure that patient data is looked after correctly, data protection and freedom of information responsibilities are met and a more modern health service which looks after its patients and their data is truly achieved. We will provide further updates on this work as it progresses.
ICO Strategic Liaison Group Manager – Public Services
2 April 2013