National health service organisations are directly responsible for compliance with the Data Protection Act 1998. NHS organisations should also publish serious data loss incidents in their annual reports and notify their strategic health authority (SHA). In turn, SHAs should publish quarterly data losses regarding its NHS organisations on their websites.
It is for the Information Commissioner and the courts to determine whether or not data protection legislation has been breached in any particular case. Details of formal undertakings are published on the Information Commissioner’s website.