The information watchdog has raised fresh concerns about the NHS’s ability to protect sensitive personal data, warning trusts of further fines and adverse publicity if they fell short of their duties.
The Information Commissioner’s Office will today publish audits of 60 public and private sector organisations’ arrangements for complying with the Data Protection Act (1998).
The watchdog said the reports had “highlighted the positive approaches many private sector companies are adopting to look after people’s data”.
“However,” it added, “concerns remain about data protection compliance within the local government sector and the NHS.”
The warning comes as the NHS looks to increase the amount of data it shares with other organisations – a move the ICO said could increase the risk of a data breaches.
ICO head of good practice Louise Byers told HSJ the watchdog would not shy away from handing out more fines to NHS bodies which fell short of their duties and that this would lead to “adverse publicity and loss of trust from patients”.
She added that the “vast majority” of the fines, so-called civil monetary notices, were handed to trusts for security breaches around personal data, with recent examples including a £175,000 fine handed to Torbay Care Trust.
The watchdog did however acknowledge performance was improving and that potential solutions to mitigate problems did not have to be “complicated or expensive”.
The summary of audits of NHS trusts, Good Practice, Audit outcomes analysis, NHS – February 2010 to July 2012, said: “The trend indicates a year on year improvement in the assurance ratings awarded which suggests improvement in the management of key information and data protection risks.”
But there remained “room for improvement”. Just one out of 15 NHS organisations achieved the top rating for data protection compared to 11 out of 16 private sector organisations.
Of the remaining fourteen NHS bodies, ten had a “reasonable” level of assurance while four had just a “limited” level of assurance. None were seen as posing a “substantial risk of non compliance” to the Act.
Performance across local government and central government were comparable; the vast majority were classified as having “scope for improvement in their existing arrangements”.
NHS bodies which took part in the voluntary audit programme included a range of trusts, individual hospitals and strategic health authorities.
Ms Byers warned that despite an increase in burden being placed on information governance teams, some trusts were cutting their resources because of budget pressures.
She added: “A lot of the things that we have seen that work well are not necessarily expensive or complicated solutions.
“Organisations can often use what they have in place already, like intranet or existing training or forums and communities within their organisations to minimise these risks.”