UK: Health sector data protection audits highlight areas for improvement
An Information Commissioner’s Office report today gives a snapshot of organizations providing secondary health care and how they are complying with the Data Protection Act.
The report summarises key findings from 19 audits carried out primarily with NHS Trusts by the ICO. The audits looked at how personal data is handled by the organization, and fit alongside NHS information governance guidelines. The organizations voluntarily agreed to work with the ICO to identify good practice and, where necessary, improve procedures relating to the handling of personal data.
The audits found:
• All the organizations had data protection policies and procedures in place, though compliance with the policies wasn’t always effectively monitored, for instance through spot checks.
• All the organizations had a system in place to track health records, though some did not conduct audits for missing files. The physical security of records also varied, with concern raised particularly around unlocked trollies used for moving files.
• There was also a lack of simple password controls, notably forcing regular password changes.
• Some organizations had little in the way of fire or flood protection in place for paper records.
• All organizations had appropriate information governance related risk registers and risk assessments that were regularly reviewed.
• Concern was raised around the use of fax machines for sending personal information, given the human error associated with using a fax machine.
Before three of the audits, staff were surveyed about their awareness of data protection policies. 88 per cent of staff had read and understood the policy in place within their organization, and 94 per cent had completed data protection training within the previous year.
Download the report (pdf)
SOURCE: Information Commissioner’s Office