Healthcare Features
- Details
- Written by: Sean Clement
- Category: Healthcare Features
- Hits: 767
There are significant and widespread data protection compliance concerns in the local government and NHS sectors and these justify the introduction of compulsory audit powers, the Information Commissioner has argued in a business case submitted to the Ministry of Justice.
Making the case for an extension of its assessment notice powers under s. 41A(2)(b) of the Data Protection Act 1998, the watchdog said compulsory audits were “an essential tool to identify and mitigate risks before serious problems occur”. It argued that simply relying on organisations agreeing to an audit was not sufficient.
The ICO said: “Data controllers in these sectors are managing huge quantities of complex and often sensitive personal data, they are often involved in wide scale data sharing initiatives and engaging multiple data processors. The nature of the personal data held by these organisations is such that a breach of the DPA often has particular potential to cause real distress and harm.”
The watchdog said that compliance problems were already evident and warned that the pressures on organisations in the two sectors were only likely to increase in the next few years. “The NHS in particular is entering a period of huge restructure which will involve responsibility for sensitive personal data shifting to completely new bodies,” the business case suggested.
The ICO pointed to the dismantling of Strategic Health Authorities and Primary Care Trusts to be replaced by Clinical Commissioning Boards. “Responsibility for public health initiatives (and in some cases treatment of individuals) is to be passed from the NHS to local authorities,” it added.
“Local government’s involvement with the third sector and outsourcing of services is set to continue. This reorganisation, huge transfers of personal data and potential confusion over responsibilities, has the potential to create more significant data protection risk.”
The ICO argued that these risks were likely to be particularly acute over the next few years, but added that the underlying problems were not short term issues. “The long term ability to conduct compulsory audits (subject to review every five years) would allow the Information Commissioner to intervene where there are significant concerns, see what is happening in practice and provide practical recommendations to mitigate identified risks,” it said.
The ICO argued that there was “a clear case to extend the power to serve an assessment notice to cover all the public, private or third sector organisations who deliver public funded health care services in the UK”.
It added that the definition of ‘local authority’ in the Code of Recommended Practice for Local Authorities on Data Transparency provided a logical basis for seting out the scope of the organisations in the sector that should be subject to the extended powers. "This includes a cut off for parish councils with an income of below £20k," it said.
The watchdog said it was already investing significant time and effort in providing advice and guidance to those trying to comply. “The Information Commissioner can and does use the powers available to him to take action against organisations that breach the rules,” it added.
However, the ICO insisted that a power of compulsion was needed even if in practice this served mainly as an incentive to organisations to sign up to a consensual audit. Since 2007, the watchdog has conducted 18 consensual audits in the NHS and 15 in local government.
“The value of the audit process is clearly illustrated and the extension of the assessment notice power will provide a clear basis for the Information Commissioner to improve data protection compliance in these areas of significant risk,” the business case argued.
It also revealed that the Information Commissioner saw the extension of his powers as a backstop, “albeit a necessary one”.
According to the business case, the Information Commissioner expects it will be only rarely that he has to go as far as serving a formal assessment notice. “His experience with central government [where departments are already subject to compulsory audit powers] tells him that the existence of a compulsory audit power is a strong driver in persuading data controllers to sign up to a consensual audit.”
The ICO claimed that the success of having this power in practice had been “clearly illustrated by the fact that the Information Commissioner has not had to serve an assessment notice to date”. All of those central government data controllers currently covered which had been asked to agree a consensual audit had done so.
The business case reported that many consensual audits in the NHS and local government only came about because a problem had already occurred and the ICO was able to exert pressure on the organisation. But only 53% of NHS organisations referred by the watchdog’s enforcement team for an audit ultimately committed to an audit. Fewer than half (47%) of the local authorities contacted agreed to undergo the process.
The business case provided a range of data as evidence of compliance problems in local government and NHS. It revealed that:
- Local government generated more complaints of potential data protection breaches from individuals between 2007 and 2011, at 4,110, than any other sector. It was followed by general business (3,702) and health (3,701)
- Some 1,589 complaints were upheld against local government and 1,237 against the health sector. The most common basis for upheld complaints was a failure to comply with an individual’s right of access to their information. This was followed by breaches of security and inappropriate/unauthorised disclosures of data
- Private businesses have self-reported 620 breaches since 2007. The NHS had reported 552 cases and local government notified 381 cases
- The majority of problems reported directly to the ICO related to security issues such as loss or theft of personal data. “The range of concerns identified indicates procedural and human failures across a range of areas”
- It is especially difficult to assess the security of manual data without an audit. In the NHS this issue was often graded by the ICO as a significant risk. “Specific problems included lockable storage not being used, patient records left in reception trays openly accessible and insecure confidential waste bins”
- Other issues in the NHS included unencrypted mobile media holding sensitive personal data, weaknesses in training, lack of monitoring of compliance and lack of practical application of records management policies
- Recurring issues in local government identified by audits included a lack of records regarding data sharing, a failure to encrypt laptops and mobile media, poor weeding or destruction of records, inadequate systems in place for the monitoring of subject access requests. Site visits by the ICO also often revealed that adherence to policies was not being monitored.
The ICO’s business case gave a number of examples of specific breaches reported by local government and the NHS over the last six months. They included: the personal data of 1,822 staff being accidentally shared via e-mail to a clinical reference group; documents including clinical information relating to 147 patients being found on the ground outside a hospital; three faxes for individual patients containing sensitive personal data being sent on three different dates to the wrong person; and a spreadsheet containing personal details of 200 housing waiting list customers being emailed in error to just over 150 recipients.
Examples were also provided of recent undertakings given by bodies in the two sectors, as well as the monetary penalties levied so far on local authorities.
The business case revealed that the private sector and other parts of the public sector will not be subject to compulsory audit powers at this stage – despite the ICO acknowledging that they controlled huge volumes of personal data and there was evidence that significant compliance problems existed in those areas.
“Going forward, where the evidence supports the case, the Information Commissioner will recommend the extension of the assessment power in other areas,” the business case said.
“He is already collecting evidence and developing a case to support an extension to some categories of data controllers in the private sector. In the meantime he will continue identifying problem areas, promoting the benefits of consensual audits and monitoring take up across the public and private sector.”
Speaking at a data protection conference in London in October, the Information Commissioner Christopher Graham revealed that businesses were the sector currently generating the most data protection complaints. However, less than one in five companies contacted by the watchdog accepted an offer of undergoing an audit.
Graham said the ICO had written to 29 banks and building societies, but only six had agreed to an audit. Just two out of 19 insurance companies had accepted a similar offer from the watchdog.
An assessment notice served by the ICO under s. s. 41A(2)(b) can require a data controller to take a range of steps. These include: permitting the Information Commissioner to enter any specified premises; directing the Information Commissioner to any documents on the premises that are of a specified description; permitting the Information Commissioner to inspect or examine documents, information, equipment or material; permitting the Information Commissioner to observe the processing of any personal data; and making specified people available for interview.
The ICO said it was confident it would resource the additional audit activity, thanks to the introduction of the higher tier fee for notification.
A copy of the ICO’s business case can be downloaded here.
Philip Hoult
- Details
- Written by: Sean Clement
- Category: Healthcare Features
- Hits: 724
Lawyers should beware statutory time limits to appeal – if you are late, you are out, writes David Hart QC.
Any lawyer dealing with civil or criminal cases tends to think that, if there is a time limit for doing something in the case, then if that thing does not get done on time, the court may be lenient if there is good reason for extending time. The problem comes where the court is only given power to hear an appeal by a specific set of rules, and the rules say, for instance: you must appeal within 14 days of the decision. In the statutory context, that may mean precisely what it says. And the court, however sympathetically inclined, cannot do otherwise and allow a late appeal.
We see this from the mental health case of Modaresi v. Secretary of State for Health & others [2011] EWCA Civ 1359. Ms Modaresi, who suffers from schizophrenia, was admitted to hospital on 20 December 2010 for assessment under section 2 of the Mental Health Act. Section 66 of the Act provides that where a patient is admitted to hospital in this way, "an application may be made to [the tribunal] within the relevant period" by the patient, and "the relevant period" means "14 days beginning with the day on which the patient is admitted".
Any appeal goes to the relevant bit of the First-tier Tribunal, and its rules provide that an application must be sent or delivered to the Tribunal so that it is received within the time specified in the Mental Health Act 1983. Leaving aside these domestic rules, many will know that provision for such an appeal is guaranteed by Article 5(4) of the Convention.
On the afternoon of 31 December 2010 (so day 11 and within her 14 days), Ms Modaresi gave a completed application form for the Mental Health Review Tribunal to a member of staff on her ward. At 16.41 that day, the member of staff faxed the form to the Mental Health Administration Office of the West London Mental Health NHS Trust. Unsurprisingly, given that it was New Year's Eve, the Administrator who would normally forward such a form to the Tribunal was not in the office and the form was not seen by those who were on duty. After that day, the office was closed until 4 January 2011 when the form was found and faxed immediately to the Tribunal. The Tribunal (also a party) said that the application was outside the 14-day time limit and therefore invalid. They wrote to Ms Modaresi to that effect. The actual decision in this case was that, due to another rule that if time expires on a day when the Tribunal is shut, time is extended to the end of the next working day, and hence, Ms Modaresi's judicial review of the Tribunal's decision was successful. The form had got there to the Tribunal by the end of that next working day, and the Tribunal were wrong to decide otherwise. Hence she could appeal.
But the message of the case is a good deal wider. Say the Administrator had not been in the next day or had not got round to sending the form in. Ms Modaresi would have had no chance of appealing. In this case, she might have had other remedies (as are discussed by the Court of Appeal), but these may not have been so advantageous. But the problem is far from confined to mental health law. There are equally firm time limits applicable to appeals by doctors and nurses/midwives in respect of decisions by their disciplinary bodies (GMC and NMC), as Ms Mitchell and Ms Holmes found to their cost, as there are in extradition cases such as Mucelli. The immediate reasons why the court's hand are tied are not far to seek. Where a time limit is set within the general court context, the courts have either an express or implied ability to extend time. But where the time limit is set firmly by a law which itself is the only reason that the court gets to hear the case, then the court cannot do anything other than follow the time limit set out by the law, however unjust that may seem. Perhaps there ought to be such a discretion, but the civil servants who draft many of these regulations may not understand that in at least some cases a firm time limit can cause real injustice. Reflect on those Mental Health Act patients who have to appeal within 14 days – they may need all the help they can get to assist them appeal. And, after all, the drafter is never the person turning away an otherwise meritorious appeal on the basis that it was made on day 15. Perhaps if they were, they wouldn't draft the law in that way.
I was involved in the starkest possible instance of this sort of rule. Some years ago, I helped out a Caribbean prisoner on his appeal against conviction for murder. He was on death row. Any murder was then a capital offence in that jurisdiction. A few days after conviction, he "spoke nicely to" his prison officers, and, one night, found that his way out of prison had been "facilitated". He was apprehended some time later. What to do, given that he had some sort of case as to how the trial had been unjustly handled and hence his conviction wrongly obtained? Answer: Nothing, though I ended up helping to draft a plea of mercy to be considered by the Governor-General - which is not really where you want to be. This was because the legislation provided for appeals against conviction to be brought within 14 days - period. Researches showed that this draconian rule derived from a UK equivalent in force when we hanged people here. No discretion if your appeal form got there on day 15. The justification was as hard as it gets; if you were going to hang someone, at least do it quickly. (Sequel to the story - very fortunately, some time after apprehension, the rules changed, so that murders were categorised as capital or non-capital murders. And his offence fell into the latter category. So escaping, which could have been - literally - fatal, turned out to save his life.)
But back to the here and now. Anyone who is thinking of appealing, please do it in time - don't assume that you can get round a time limit. And if you are thinking of going to a lawyer, give them time to fill in the form for you. Don't leave it until the morning of day 15. They may not be able to help you.
David Hart QC is a barrister at 1 Crown Office Row. This article first appeared on the set's UK Human Rights Blog.
- Details
- Written by: Sean Clement
- Category: Healthcare Features
- Hits: 993
Proposals to extend the Care Quality Commission's role risk distracting the organisation from its core work of regulating health and social care, the National Audit Office has warned.
Additional responsibilities that the Department of Health expects the CQC to assume include oversight of fertility clinics and responsibility for HealthWatch England, the new national consumer body for health and social care.
In a report the NAO said the public’s expectations of the Commission were high, but this was based on a misunderstanding of what it could achieve as a regulator.
The report also said that the CQC’s role – although clearly defined – had not been communicated effectively to the public and providers.
The Commission was set up under the Health and Social Care Act 2008 to act as the independent regulator of health and adult social care services in England.
It took over responsibilities from three bodies – the Healthcare Commission, the Commission for Social Care Inspection, and the Mental Health Act Commission – and began operating on 1 April 2009.
The National Audit Office said the CQC had had “a difficult task in establishing itself and has not so far achieved value for money” in its key role.
The Commission has faced a number of problems since its launch. According to the NAO, these included:
- missed deadlines for registering health and social care providers, other than NHS trusts. This happened at the same time as levels of compliance and inspection activity were falling significantly
- a significant number of staff vacancies with 14% of posts empty at the end of September 2011. This followed government-wide recruitment constraints
- difficulties with the process for registering care providers, which “did not go smoothly”. The NAO said the timetable for two of the three tranches of registrations was not met, with the CQC forced to divert inspectors from compliance activity to registration work to rectify the problem. Together with the vacancy rates, this meant the Commission completed only 47% of the target number of compliance reviews between October 2010 and April 2011.
Amyas Morse, head of the National Audit Office, said: "Against a backdrop of considerable upheaval, the Care Quality Commission has had an uphill struggle to carry out its work effectively and has experienced serious difficulties. It is welcome that it is now taking action to improve its performance.
"There is a gap between what the public and providers expect of the Care Quality Commission and what it can achieve as a regulator. The Commission and the Department of Health should make clear what successful regulation of this critical sector would look like."
In its response to the NAO report, the CQC acknowledged it had been through a “challenging period” but insisted that it was now “firmly on the right track and making rapid progress”.
It said it was committed to increasing the numbers of unannounced inspections in order to identify and tackle poor care.
Chief Executive Cynthia Bower said: “As the NAO report makes clear, we faced a difficult task. We had to bring together the work of three organisations and bring in a new model of regulating health and adult social care. Not everything has gone smoothly, but we have learned, reviewed what we do and made changes – often with support of others involved in health and social care.
"We are a young organisation and we are still evolving - but I firmly believe that we are making real progress. In October alone, we conducted more than 1,400 unannounced inspections. In the last three months we have recruited and trained over 100 additional inspectors.”
Bower claimed the CQC’s report on its Dignity and Nutrition inspection programme, which looked at the care older people receive in 100 acute hospitals, showed how effective its regulatory system could be. This programme will shortly be rolled out to social care, she added.
- Details
- Written by: Sean Clement
- Category: Healthcare Features
- Hits: 1529
The legal department at Birmingham City Council has secured another panel place on the high-profile Health Trust Europe framework agreement.
The local authority had already achieved high rankings on the Contract and Commercial Law (2nd), Other Law (1st) and Employment Law (2nd) panels, which were unveiled in September.
It has now been appointed to the property law panel, again in second position. The appointment means that Birmingham's legal team was selected for all the lots it applied for.
Health Trust Europe covers up to 70 NHS trusts in the Midlands and South East. The framework agreement is set to last for an initial three years, with an option to extend for a further 12 months.
John Wynn, Assistant Director at Birmingham, said the appointments were “a unique achievement for any in-house local authority legal services department”.
Wynn, who leads the legal team on practice development/income generation, said picking up work in this way was part of the department’s five-year strategy “to revolutionise the way high quality legal services are delivered for the public sector by the public sector”.