GP practices across UK face compulsory data protection audits

GP practices face compulsory audits from this month by the information commissioner to check their compliance with data protection laws.

Data: ICO could force audits on practices
Data: ICO could force audits on practices

GP leaders warned that the moves could put patients at risk if they piled more bureaucracy on top of the heavy workloads already faced by practices.

Following an overhaul of regulations, from 1 February the information commissioner's office (ICO), will be able to carry out compulsory audits to assess data protection by organisations including GP practices.

Previously the the ICO was only able to force these checks on government departments.

NHS organisations including GP practices found to be in breach of data protection laws have faced heavy fines. GP reported in 2013 on campaigners warning that practices could face fines of up to £500,000 for breaching data protection rules, and the ICO has issued fines totalling £1.3m to NHS organisations.

Routine inspection

However, a spokesman for the ICO confirmed audits were intended to flag up problems with data protection before a breach occurred, and their findings could not trigger a fine. He added that all practices would not be inspected as a matter of routine, and that audits could be triggered by concerns raised about a practice or other factors.

GPC deputy chairman Dr Richard Vautrey warned that the move must not leave practices facing yet more bureaucracy.

'GPs and practices take confidentiality and the appropriate handling of patient data very seriously,' he said. 'That's why we've been so concerned over the years about various government IT schemes that could undermine the confidence patients have in their GP.'

'We would need to see the details of any proposed audits the ICO planned to use, but they need to be very careful not to add yet more to the already heavy workload burden on practices and therefore make it even more difficult to provide good quality care to patients.

Regulatory burden

'The last thing practices want is CQC calling on Monday, the NHS England area team ringing on Tuesday, the CCG demanding attendance at a meeting on Wednesday and then the ICO requiring an audit to be done on Thursday, as the result of this regulatory burden could be having to handle a GMC complaint on Friday because patient care was compromised.'

Audits by the ICO can look at how organisations handle patients' personal information, security of data, records management, staff training and data sharing.

Information commissioner Christopher Graham said: 'The Health Service holds some of the most sensitive personal information available, but instead of leading the way in how it looks after that information, the NHS is one of the worst performers. This is a major cause for concern.

'Time and time again we see data breaches caused by poor procedures and insufficient training. It simply isn’t good enough. We fine these organisations when they get it wrong, but this new power to force our way into the worst performing parts of the health sector will give us a chance to act before a breach happens. It’s a reassuring step for patients.'

*This story has been amended following a clarification from the ICO that problems with data protection uncovered in compulsory audits cannot lead to a fine.

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins

Register

Already registered?

Sign in

Before commenting please read our rules for commenting on articles.

If you see a comment you find offensive, you can flag it as inappropriate. In the top right-hand corner of an individual comment, you will see 'flag as inappropriate'. Clicking this prompts us to review the comment. For further information see our rules for commenting on articles.

comments powered by Disqus