News and Information

ICO Data Protection Audits of NHS Trusts

ICO Data Protection Audits of NHS Trusts

As well as the established pressures that our health sector faces, the need to ensure compliance with data protection and the UK General Data Protection Regulation (GDPR) is more important than ever before to ensure that practices are effective.

The ICO published a report in December 2020 following the audits of 12 NHS organisations including Foundation, Health Boards and Ambulance Trusts between May 2018 and May 2019. The audits were carried out to examine the effectiveness of practices in line with the GDPR.

As can be seen from the chart below, 167 separate key recommendations were made that identified as either Urgent or High priority:

The findings and recommendations were far reaching and the potential impacts for health settings are clear. The findings included:

Area Of Focus

Record of Processing Activities (ROPA)

Findings

The audits found that most of the Trusts involved did not have a ROPA in place. In fact, they also found that some had not started to produce a ROPA at all.

Area Of Focus

Data Protection Officers (DPOs)

Findings

The report highlighted the need for DPOs to operate in an independent manner. The audit report went on to state that ‘In most cases we were concerned that DPOs did not have a clear way to raise data protection concerns with the Board’.

The report also suggested that greater support for DPOs was needed from the central NHS as well as greater networking opportunities in order to share good practice.

Area Of Focus

Subject Access Requests (SARs)

Findings

Of the 12 Trusts included in the audit, the report identified that ’most’ of them did not have procedures outlining how to deal with verbal SARs. In fact, some of the Trusts would not accept a SAR made verbally.

The report also highlighted concerns about the quality of training so that staff were able to identify if a SAR was presented to them, which meant that they were not always passed on to the correct team to deal with.

Area Of Focus

Privacy Information

Findings

The teams identified that in general terms relevant privacy information was only available in one format (e.g. website) rather than in a variety of ways to ensure that the information was accessible to all.

Added to this the report stated that the audit teams had concerns about the availability of such information on the Trusts’ websites as ‘these web pages were either difficult to find or did not appear in the search results’.

Area Of Focus

Training and Awareness

Findings

The main concerns raised were in relation to the training given to agency, locum staff and data processors. The report highlighted the need for staff to be fully trained, for the Trusts to keep accurate records of this training and who has received it as well as making sure that a suitable senior and qualified leader scrutinised the quality of the training delivered.

Area Of Focus

Data Processor Contracts

Findings

The audit teams identified that the NHS Standard Contract template was not always used when employing Third Party Data Processors. As such their concern was that such contracts did not contain the full range of compulsory terms and clauses as required under the GDPR.

The report also highlighted a lack of processor compliance checks being undertaken by the Trusts prior to contracts beginning thus potentially leaving the Trusts in a vulnerable position.

Area Of Focus

Other Development Areas

Findings

The report also highlighted a number of further development areas that were identified as a result of the audits including:

  • Developing procedures to carry out Data Protection Impact Assessments (DPIAs).
  • Disposing confidential paper waste securely.
  • Making sure staff were aware of the procedures regarding patients’ access to their information.
  • Ensuring that staff were involved in a sign off process following their induction process to show that they had read and understood the relevant data protection policies.
  • Making sure that the roles of Information Asset Owners (IAOs) and Information Asset Administrators (IAAs) were undertaken by appropriate members of staff and that this element of their role was clear in their job description.

Ensuring that KPIs are used to measure data protection performance and allow accurate and timely reporting to the Board.  

Area Of Focus

Good Practice

Findings

The report also identified a range of good practice including:

  • The effective use of Information Management Steering Groups.
  • Data Protection Forums where staff were able to raise data protection issues.
  • Sending out regular bulletin updates to staff.
  • Ensuring that key policies were readily available in dedicated intranet areas.
  • Policies were constructed in a uniform manner and style.
  • The use of clear Governance Frameworks.

Clear publishing of relevant privacy information.

BLS Stay Compliant has over 85 years of experience of supporting public sector organisations and in particular the health sector to ensure that they remain compliant across the full breadth of data protection.

If we can support you with any aspect of data protection compliance and training please contact us and one of the team will be happy to discuss your needs:

Tel: 01757 616885

Email: info@bls-staycompliant.co.uk

Share this post

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email