The UK Ministry of Justice opened a public consultation yesterday on the expansion of the Information Commissioner's compulsory audit power to the NHS. The NHS, which is one of the UK's biggest
The UK Ministry of Justice opened a public consultation yesterday on the expansion of the Information Commissioner's compulsory audit power to the NHS. The NHS, which is one of the UK's biggest employers and controllers of sensitive personal data, has been firmly in ICO's sights for over a year now, as back in January 2012 the Commissioner identified “health” as his number 1 priority for regulatory action (see the “Information Rights Strategy”), which led to a series of high profile fines being imposed on NHS bodies for various data breaches (after Local Authorities the NHS was the sector that received most fines in 2012). ICO has long been arguing for the extension of its compulsory audit power to the NHS and its clear from the consultation document that the Government is supportive.
These audits, or “Assessment Notices” as the statutory language prefers, were introduced into ICO's regulatory tool kit by the Coroners and Justice Act 2009 but while the legislation envisaged the possibility of ICO being able to audit any part of the economy, at the moment the audit power is restricted to Government departments. Many commentators regard this as odd and out of kilter with both the Parliamentary intent and the overall trajectory of data protection law. For instance, under the E-Privacy Regulations ICO has a related compulsory audit power which they can use in the electronic communications sector (principally telecoms companies and ISPs). Likewise the draft Data Protection Regulation includes a proposed wide-ranging audit power for national regulators in the EU. Similarly, the draft Cybersecurity Directive published in 2013 proposes a regulatory audit power for “Market Operators” who underpin the Internet, Cloud Computing services, health, transport, financial services and energy. In other words, compulsory regulatory audit powers are considered to be a fundamental component of mature regulation, albeit, of course, these powers should be exercised sparingly, proportionately and in a non-discriminatory manner.
The current proposal is a welcome opportunity for Government, ICO and the NHS to sort out the mess that is data protection regulation in the NHS. Currently, the “assessment” regime leads to very unfair results, in the sense that a data controller who undergoes a compulsory audit or assessment of legal compliance receives much more favourable treatment through immunity from fines than one who voluntarily reports a data handling problem to ICO for investigation. The recent pattern of fining in the NHS has not been universally welcomed, but these developments may reduce their frequency in a sector that feels harshly treated.
However, NHS bodies should not think that compulsory audits or assessments leave them free of enforcement measures. While ICO cannot fine after exercising an Assessment Notice, they can still impose Enforcement Notices, which are backed up by criminal sanctions for those controllers who do not comply with their terms. Yet, at least Enforcement Notices keep the money in the NHS, which means that the NHS can dedicate what would have been fine money to data protection improvements.
It will be very interesting to see how the NHS responds, but many bodies will be thinking about how they can avail themselves of ICO audits in the meantime to remove the spectre of fines. This is because voluntary audits and assessments carry the same immunity from fines as compulsory ones. Indeed, one might think that it will be a very unfortunate NHS body who is fined, because there is a pathway here to fine neutrality. So, will we see a rush of requests for voluntary audits and assessments? Clever NHS bodies must be thinking about this.
The Consultation closes on 17 May. If you would like to know more about Assessment Notices and how they operate, or if you would like a copy of my firm's research into ICO enforcement actions in 2012, please contact me.
These audits, or “Assessment Notices” as the statutory language prefers, were introduced into ICO's regulatory tool kit by the Coroners and Justice Act 2009 but while the legislation envisaged the possibility of ICO being able to audit any part of the economy, at the moment the audit power is restricted to Government departments. Many commentators regard this as odd and out of kilter with both the Parliamentary intent and the overall trajectory of data protection law. For instance, under the E-Privacy Regulations ICO has a related compulsory audit power which they can use in the electronic communications sector (principally telecoms companies and ISPs). Likewise the draft Data Protection Regulation includes a proposed wide-ranging audit power for national regulators in the EU. Similarly, the draft Cybersecurity Directive published in 2013 proposes a regulatory audit power for “Market Operators” who underpin the Internet, Cloud Computing services, health, transport, financial services and energy. In other words, compulsory regulatory audit powers are considered to be a fundamental component of mature regulation, albeit, of course, these powers should be exercised sparingly, proportionately and in a non-discriminatory manner.
The current proposal is a welcome opportunity for Government, ICO and the NHS to sort out the mess that is data protection regulation in the NHS. Currently, the “assessment” regime leads to very unfair results, in the sense that a data controller who undergoes a compulsory audit or assessment of legal compliance receives much more favourable treatment through immunity from fines than one who voluntarily reports a data handling problem to ICO for investigation. The recent pattern of fining in the NHS has not been universally welcomed, but these developments may reduce their frequency in a sector that feels harshly treated.
However, NHS bodies should not think that compulsory audits or assessments leave them free of enforcement measures. While ICO cannot fine after exercising an Assessment Notice, they can still impose Enforcement Notices, which are backed up by criminal sanctions for those controllers who do not comply with their terms. Yet, at least Enforcement Notices keep the money in the NHS, which means that the NHS can dedicate what would have been fine money to data protection improvements.
It will be very interesting to see how the NHS responds, but many bodies will be thinking about how they can avail themselves of ICO audits in the meantime to remove the spectre of fines. This is because voluntary audits and assessments carry the same immunity from fines as compulsory ones. Indeed, one might think that it will be a very unfortunate NHS body who is fined, because there is a pathway here to fine neutrality. So, will we see a rush of requests for voluntary audits and assessments? Clever NHS bodies must be thinking about this.
The Consultation closes on 17 May. If you would like to know more about Assessment Notices and how they operate, or if you would like a copy of my firm's research into ICO enforcement actions in 2012, please contact me.