Data loss is high profile these days, and the Information Commissioner’s Office is planning on reforming its approach to regulation and auditing. Stuart Knowles recommends that CCGs take this opportunity to get their house in order.
Imagine, if you will, the effect upon the chief executive if a notice of intent to fine in the sum of £375,000 from the Information Commissioner (ICO) landed on your doorstep.
You might ask yourself: where did it all go wrong?
Such was the fate of colleagues at Brighton and Sussex University Hospitals for a security breach when a number of hard drives sent to a contractor for decommissioning ended up on ebay.
The ICO is currently very active on the regulatory front. Total fines imposed for data breaches have topped a million pounds, and the ICO constantly reminds us about each new scalp.
The regulator is pressing for new powers – including enforced audit against public bodies, and the ICO has the NHS in his sights.
Make no mistake, the ICO sees this period of reform as an opportunity for the NHS to get its house in order and we miss it at our peril. Fledgling clinical commissioning groups should take note.
Most NHS organisations have good information policies in place and there is plenty of learning to be had from the ICO, Department of Health, NIGB (including Information Governance for Transition) and the Information Governance Toolkit.
We all know how important it is to embed privacy and good information governance and training into our culture and daily activities of all staff. Checklists, action plans and guidance are available to all at the click of a mouse.
But let’s consider a couple of basic points to assist with robust information governance, help NHS bodies not to fall foul of the ICO and to stand firm in the face of ICO action.
Controlling our information in the hands of third parties
The real risk is data security. That’s where the ICO gets really excited. Think, just for a moment, a real risk for any organisation (as in the Brighton case) is when information is not in our direct control.
The key is to keep control of the process and keep the evidence of what you have done. You share information with so many third parties and even more have access to it. Conventional wisdom dictates we draw up tight data sharing protocols and contracts. Precedent terms are widely available – though make sure they are amended to reflect the actual situation.
Consider, are all your contracts centrally controlled and managed? If not they should be. Information governance input is vital. It is a fundamental principle that organisations must take appropriate technical and organisational safeguards.
Before signing any contract involving the release of, or access to, data make sure you do proper due diligence on the third party. Ask the right questions. Ask for (and retain) evidence of their good practice. If necessary go and inspect what happens on the ground.
Furthermore, during the life time of the contract, make sure you schedule, and undertake, regular audit of the compliance of the third party. Get the evidence on your file that they are complying with their contractual obligations. If things go wrong, make sure the third party can demonstrate matters have been put right.
It is worth considering doing your own internal audit before the ICO invites his team down for a visit, perhaps using an external auditor. Keep the record and details of changes made to make data more secure.
Keep your own audit trail and evidence of good practice
Today, data loss is high-profile. The ICO is actively attempting to regulate the operations of organisations whilst also pushing hard for the power to force an audit of what you are doing (which is likely to become a “badge of dishonour”).
However, regulation is expensive and the ICO’s practice is likely to change. Regulation will become more systems based with the ICO inspecting policies, procedures and paperwork. It’s cheaper, more ‘efficient’ and is the main reason why organisations must keep the evidence of their activities, contracts, due diligence and internal audit. If the ICO comes calling you will have to hand all the evidence of your good practice and due diligence and he is much less likely to take more formal enforcement action.
Finally, make sure you read, and follow, the new ICO guidance on Assessment Notices and Monetary Penalties. If you can show compliance, even if things go wrong, you have the basis of a defence to any proposed fine or enforcement action.
In the words of the ICO, to fine you there has to be a ‘serious contravention’ of the Data Protection Act 1998 and that means inter-alia there was a failure ‘to take reasonable steps to prevent the contravention’.
So if you have done all that he asks and you have the evidence to hand to back that up, everything should be in place for you to proceed with your best foot forward.
Don’t give in without a fight!