The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

From May 2018 to May 2019, the ICO conducted a series of consensual data protection audits of NHS organisations and their compliance with the GDPR. These organisations were a combination of Foundation, Health Boards and Ambulance Trusts. We analysed our findings and summarised them in this overview report.

Leanne Doherty, Group Manager, Regulatory Assurance, said:

“The health sector handles some of the most sensitive personal data, and patients have the right to expect that information will be looked after. As part of our role in supporting the sector, the ICO’s Assurance team carry out data protection audits where we see first-hand the professionalism and commitment of people working in information governance and some of the challenges they face.

“Since the advent of the GDPR, our primary focus has been to assess the effectiveness of the governance and accountability measures that organisations within the health sector have put in place in line with the requirements of data protection law. We have identified some common challenges within the sector that, if not recognised, understood and resolved, could pose a risk to the security of the personal data of patients and staff.

“This report aims to highlight our experiences to help the sector to recognise where they can make improvements in compliance with data protection law.”