Health data protection: Regulator gets new power to audit the NHS

Earlier this week a long awaited extension to the Information Commissioner's compulsory audit powers finally came into effect, over five years after the passing of the original enabling legislation that was intended to catapult compulsory audit to the forefront of the regulatory toolkit for data protection in the UK, namely the Coroners and Justice Act 2009. As of 1st February, the Information Commissioner has the power to carry out compulsory audits of the NHS and supporting environments, such as clinics, healthcare centres and GP surgeries.

The introduction of compulsory audits is likely to be welcomed, for many reasons. Most importantly, it returns the regulation of data protection in the NHS back to the constructive path of positive engagement. Since 2010, the observable face of regulation in the NHS has been the imposition of financial penalties for data security breaches and losses of confidential patient records. There are many problems within the 'stick' approach to regulation, not least that the NHS body is deprived of funds that could otherwise be used to make improvements to data protection practices. Fines can naturally lead to a confrontational approach and potentially 'cover-ups' and 'blame games'. The audit approach removes these problems from the agenda. Very significantly, NHS bodies that undergo compulsory audits cannot be fined for any irregularities that are uncovered by the auditors. In other words, the legal structure of the audit power has built-in a legal privilege against self incrimination.

There is a considerable body of anecdotal evidence to suggest that the audit medicine is working. To be fair to the Information Commissioner, his regulatory strategy for the NHS has not been exclusively about fines. Over the past couple of years resources have been invested in a voluntary audit agenda, which many NHS bodies have taken advantage of. Last year the Information Commissioner published a press release trumpeting his finding that data protection practices in the NHS were improving, which was in part down to the voluntary audit agenda. In my own practice I have dealt with organisations who have praised the audit process. Many organisations see the truth of the matter, which is that they are getting a free service from the regulator which adds considerable value.

At PwC Legal and PwC we have a team of data protection professionals who have handled some of the largest and most complex regulatory cases, including Information Commissioner audits and regulatory actions against NHS bodies. We will be pleased to discuss this topic further with you.


To find out more about how we can help address key data protection, privacy and optimisation challenges facing your organisation, please get in touch with one of our subject leaders.