InfoLawUpdate - Health sector data protection audit underline areas for improvement
Burnetts' information law solicitor Natalie Ruane discusses a report published by the Information Commissioner’s Office (ICO).
A report published by the Information Commissioner’s Office (ICO) provided an overview of certain secondary healthcare organisations and how they are complying with the Data Protection Act.
The report summarises key findings from 19 audits with NHS trusts by the ICO. The audits concentrate on how personal and sensitive information is handled by the particular trust and whether this is in compliance with NHS governance guidelines.
The findings of the audits included;
- All of the organisations that took part in the audits had appropriate procedures and guidance in place. However, compliance wasn’t always monitored (for example through one off spot-checks);
- All organisations had the appropriate systems to track health records but some organisations should be doing more to implement procedures for when a file goes missing and needs to be found;
- The organisations taking part in the audit had varied physical security of confidential and sensitive documentation. One concern that was raised regarded records being kept in unlocked trolleys;
- A general lack of basic password controls (there should have been regular prompts to change passwords);
- Certain organisations lacked fire and flood protection for their paper records;
- There was a general concern from the auditors that fax machines are used rather too frequently for sending personal information; considering the potential for human error;
Encouragingly, the audit was pleased that all organisations had appropriate information relating to risk assessments and risk registers that were reviewed regularly.
The ICO audit is a free service provided to larger organisations by which they assess the organisation’s compliance with data protection practices. The ICO will consider the effectiveness of policies and procedures and whether they are being followed. The ICO will then make recommendations on how to improve.
About the author
Natalie is a Partner and leads the Employment Law & HR team and specialises in education.
Published: Friday 9th May 2014
Categorised: Information Law