Just a brief blog about the proposals to extend the ICO’s audit powers to NHS bodies and how improved protection for data subjects can be obtained at minimal cost.
Amberhawk argues that if “unannounced” NHS data protection audits are to occur, then such audits should be extended to any department of a data controller who obtains health personal data from the NHS (e.g. research organisations; Local Authority Social Work Department).
This will enhance the protection for data subjects. In our view, there is little point in extending "unannounced" audit to NHS bodies, if widespread data sharing of health records occurs with non-NHS data controllers who are not subject to such an audit.
We also suggest the ICO should be able to recover some or all the costs of an audit, especially when an audit arises as a result of enforcement action (e.g. MPN) or an Undertaking. We do not see why scarce ICO resources that protect data subjects should be expended on errant data controllers who should know better. A cost recovery mechanism that can be used by the ICO as required allows those resources that protect data subjects to be replenished.
If you agree with some or all of these simple propositions, can I encourage you to complete the consultation exercise; there is a chance that the current limited suggestion can be significantly improved.
In further detail, the four improvements we suggest are as follows:
1. Audit powers should be extended to Local Authorities especially Social Work Departments which now have responsibilities for public health and joined up services with the NHS (in theory).
2. In general, if NHS bodies share health personal data, then those organisations (or parts of organisations) who obtain the health personal data should also be subject to audit. These organisations include research organisations and Universities. This step will help reassure data subjects that all health data originating from the NHS are subject to "on the spot audit" at any time, irrespective of the identity of the data controller.
3. The ICO should have the flexibility to recover some or all of the cost of all consensual and compulsory audits, especially when an audit follows a breach of a Principle or Right (e.g. a reported data loss where there has been enforcement action or Undertaking signed by the data controller). If costs are not recovered, the resources of the ICO that are aimed at protecting data subjects are expended on errant data controllers that cause problems for data subjects. A contribution from those errant data controllers will help maintain the ICO's ability to protect data subjects.
4. The extension of powers to NHS bodies in Wales, NI and Scotland should be subject to approval of the respective devolved Parliaments
Of course, you can argue that the ICO's audit service should be free, but in general, I do not see a modest contribution made by the data controller to costs as being excessive. It is also possible to link the cost recovery to size of data controller (e.g. those that pay £500 notification fee).
References
Submit your views: https://consult.justice.gov.uk/digital-communications/ico-assessment-notices/consultation/intro/view
Consultation document widening the powers of audit to NHS bodies on: https://consult.justice.gov.uk/digital-communications/ico-assessment-notices
Comments