This site is intended for health professionals only

New powers to compulsory audit data protection in the NHS

19 February 2015

Share this article


A change in the law has given the Information Commissioner new powers to compulsorily audit GP surgeries and other public healthcare organisations to assess how they handle personal patient information.

The law that came into effect on 1 February amends the Data Protection Act and allows the Information Commissioner’s Office (ICO) to enter premises without consent to check on compliance with the Act and to review areas including security of data, records management, staff training and data sharing.

Previously, the ICO would only undertake compulsory audits in central government departments and consent was required for audits in the NHS. The new legislation will not apply to any private companies providing NHS services to the public.

Christopher Graham, the information commissioner, said: “The Health Service holds some of the most sensitive personal information available, but instead of leading the way in how it looks after that information, the NHS is one of the worst performers. This is a major cause for concern.

“Time and time again we see data breaches caused by poor procedures and insufficient training. It simply isn’t good enough.

“We fine these organisations when they get it wrong, but this new power to force our way into the worst performing parts of the health sector will give us a chance to act before a breach happens. It’s a reassuring step for patients.”

The ICO has powers to impose monetary penalties, issue undertakings or even launch criminal proceedings against organisations and individuals who fail to protect private data. To date, the ICO has issued fines to NHS organisations totalling £1.3 million.