Skip to main content

NHS: Data Protection

Volume 502: debated on Wednesday 9 December 2009

To ask the Secretary of State for Health what breaches of data protection legislation have been recorded in the NHS in each of the last five years; and how many formal undertakings from the Information Commissioner have been signed by NHS organisations consequent on a breach of the legislation. (304243)

National health service organisations are directly responsible for compliance with the Data Protection Act 1998. NHS organisations should also publish serious data loss incidents in their annual reports and notify their strategic health authority (SHA). In turn, SHAs should publish quarterly data losses regarding its NHS organisations on their websites.

It is for the Information Commissioner and the courts to determine whether or not data protection legislation has been breached in any particular case. Details of formal undertakings are published on the Information Commissioner’s website.