On 29 March 2017, the Information Commissioner's Office ("the ICO") issued resources aimed at improving records management in the health sector. The ICO is focussing on the effective logging, tracking, movement and storage of manual records across the health sector. The resources are designed to address shortcomings found by the ICO when conducting audits in a range of health organisations.
Further resources targeting the healthcare sector will be issued later this year.
The ICO is the UK's independent body set up to uphold information rights. Its work includes:
The ICO can impose sizeable fines on organisations for breaches of the DPA and FOI.
A breach of the DPA and/or FOI may also amount to a breach of the terms of any contract that you hold to provide healthcare services. Any breaches of data protection legislation, and the effectiveness of what you have in place to avoid them, will also be of interest to the CQC.
To protect oneself from data protection breaches and ensure compliance with the DPA/FOI, you should have robust policies and procedures in place, which are backed up by staff training. Having effective measures in place will reduce the risk of non-compliance and will often be a mitigating factor should a breach occur.
The DPA is set to be replaced by the new General Data Protection Regulation ("GDPR") from May 2018. This will significantly increase the regulatory burden on organisations in the healthcare sector. For example, the GDPR places a greater emphasis on information security and transparency. The GDPR will also increase the penalties for non-compliance, with the current maximum fine of £500,000 being increased as high as up to €20 million and 4% of global annual turnover.
The ICO is a useful source of guidance in relation to the steps you can and should take to comply with your information law duties.
VWV has an experienced team of Data Protection solicitors, who provide specialist legal advice on all aspects of information law and data protection compliance. Should you find yourself the subject of an investigation by the ICO, CQC, NHS England or your CCG, we have the expertise to help you to address any concerns raised.
Our Data Protection team can also provide a suite of data protection policies. We also offer training on all aspects of Data Protection Law and can provide further information on the GDPR, the changes it will bring and how it will affect organisations in the sector.