Data Protection: NHS Turkeys Consulted on Christmas

March 26, 2013

I have just posted {news of the Ministry of Justice’s consultation on the extension of the powers of the Information Commissioner so as to enable him to carry out compulsory assessments of NHS bodies’ compliance with the data protection principles:}. The one question in the consultation document is ‘Do you agree that the Information Commissioner should be given powers under the Data Protection Act 1998 to carry out non-consensual assessments of data of NHS bodies for compliance with the Act?’ While it does not actually follow up with the words ‘ because we are doing it anyway’, the summary in the consultation document (see below) leaves little doubt about the conclusion that will be reached:
‘{i}The evidence set out above clearly demonstrates that the NHS is an area where there are already significant and widespread data protection compliance concerns. … simply relying on organisations agreeing to an audit is not sufficient. A power of compulsion is needed even if in practice this serves mainly as an incentive to organisations to sign up to a consensual audit. The value of the audit process is clearly illustrated and the extension of the assessment notice power will provide a clear basis for the Information Commissioner to improve data protection compliance in these areas of significant risk.’{/i}

While any consultation is usually better than none, this one really does feel like a waste of taxpayer’s money. Just to confirm that suspicion, the ‘audience’ for the consultation is described as the data controllers themselves. It is not that I am feeling bitter about not being asked, although I am sure that there are other people – like patients and doctors (and even funders of the NHS) – who are entitled to express a view. I just don’t see the point of going through the hoops when (a) your mind is made up and (b) the one set of opinions you canvass comes from a group with an obvious axe to grind – a slightly different concept than the ‘interested party’ justification that is usual for consultations.

My guess is that all the respondents will just end up feeling aggrieved. Some might want compulsory assessments just to ensure that they cannot be fined. But surely most have better things to do than satisfy the ICO that they are doing their job.