Five key learnings from ICO audits of NHS Trusts

In December 2020, the Information Commissioner’s Office (ICO) published a report that summarised their findings from audits completed in NHS Trusts between May 2018 and May 2019. If you have not read the report, this blog post seeks to summarise five key learnings which any organisation (NHS or non-NHS) can use to strengthen their position against the requirements of the GDPR.

Key Learning 1: An Information Asset Register IS NOT a Record of Processing Activities

An Information Asset Register (IAR) is a list of personal and non-personal information assets held by the organisation. It will hold details of all information assets (software and hardware) including the identity of asset owners, retention periods and security measures deployed. All assets should be periodically risk-assessed and physical checks should be made to ensure that the hardware asset inventory remains accurate. Keeping an IAR is one way to demonstrate the principle of ‘accountability’ and is listed under section 8.1 of the ICO’s newly published Accountability Framework, which details best practice in complying with data protection law.

A Record of Processing Activities (ROPA) is a legal requirement that mostly all data controllers and data processors are required to maintain. As defined under Article 30 of the GDPR, for each processing activity exercised by the organisation, the ROPA must include the purposes of the processing, the types of personal data processed, the categories of data subjects affected by the processing, recipients of the personal data, transfers to third countries and appropriate safeguards, retention periods and a description of the security measures in place to protect the personal data.

It is easy to confuse the two, however they should not be treated in the same way. As described above, the IAR also covers non-personal information whereas the ROPA only deals with information relating to an identifiable individual. The ROPA is also a mandatory requirement of the GDPR if the organisation engages in frequent high-risk processing, employs more than 250 employees and is not a public authority. Conversely, the IAR is a ‘nice-to-have’ and allows you to meet best practice standards. A practical tip is to use the IAR to inform the completion of the ROPA. The IAR will list the asset owners and administrators for the hardware and software systems that are used by the business. These individuals would therefore be best placed to assist in the completion of the ROPA as they would be familiar with the personal data being processed as a result of using these assets.

Key Learning 2: Your Data Protection Officer should not have financial responsibilities alongside their data protection ones

Section 70(5) of the Data Protection Act 2018 confirms that the Data Protection Officer (DPO) must report to the highest management level within the organisation. They are also required to be independent of the decision-making about processing personal data within an organisation. In their report, the ICO specifically notes that giving the DPO financial responsibilities (such as income generation, budgetary controls and developing a financial performance framework) alongside their data protection ones would undermine their independence and is not recommended.

The DPO should also keep abreast of the latest developments in data protection law. A practical way to do this would be to develop relationships with other DPOs in similar industries and establish a forum to discuss and consider issues relevant to their area of work.

Key Learning 3: Subject access requests DO NOT need to be made in writing

The ICO advises against informing data subjects that their right to access their personal data can only be submitted in writing. Verbal requests are just as effective and should not be ignored. Processes should be in place for staff to be able to record a verbal request and to be able to advise the data subject on the next steps. These policies and procedures should be supplemented with regular refresher training and awareness campaigns in public-facing departments.

Key Learning 4: A ‘layered’ approach to informing individuals is preferred

Individuals have the right to be informed about the processing of their personal data. In the audits that the ICO performed, it was found that many NHS Trusts were simply using their website to display a Privacy Notice containing this information. However, organisations should also consider providing privacy information in a layered approach – particularly if data subjects do not have access to the internet. This can include providing the information through a mix of leaflets, posters and a summarised version of the online Privacy Notice that children can read. Printed copies of the Privacy Notice should also be readily available if you are a public-facing business.

Key Learning 5: Use a variety of methods to communicate changes to company policies

Similar to Key Learning 4, changes to data protection policies and procedures should be communicated to all staff so that they are updated as soon as possible. Using a multi-layered approach in this case would involve notifications on the staff intranet, company-wide emails and regular online newsletters. It is important to remember that not all staff will have the time to understand and comprehend the changes – therefore, providing key highlights instead is strongly recommended.

If you require advice and support on how to comply with the principles for processing personal data under the GDPR, please contact our Data Protection Team at Xcina Consulting. We provide our clients with pragmatic advice and thought leadership to ensure they achieve a robust and defensible position. For more information, please contact our team by clicking on the ‘Get in touch with us’ button below.