The Ministry of Justice has unveiled plans to give the Information Commissioner’s Office (ICO) powers to carry out compulsory data protection audits on public health bodies in the UK.
The ICO currently has the power to conduct compulsory data protection audits on central Government departments in accordance with the Data Protection Act. However, consent must be obtained from other organisations before investigations can be commence.
The Ministry of Justice has now said it has been convinced of the need to bring health bodies within the scope of the ICO’s compulsory audit powers and has launched a consultation document amounting to 32 pages. Health bodies are being encouraged to give their view with submissions accepted by 17th May 2013.
The Ministry of Justice said that, where the ICO had conducted consensual audits, it had identified data security problems, including “lockable storage not being used, patient records left in reception trays openly accessible and insecure confidential waste bins” as well as unencrypted sensitive data being held on mobile devices.
The highest fine the ICO has ever levied on any organisation for a breach of the Data Protection Act was served on Brighton and Sussex University Hospitals NHS Foundation Trust last year. The Trust was fined £325,000 after “highly sensitive personal data” was stolen from a hospital under its control and sold on eBay.
The watchdog had set out its intention to focus on improving health sector compliance in its information rights strategy published at the beginning of 2012.