Contractors could face data protection audits

Contractors to NHS bodies could become liable to compulsory audits under the Data Protection Act, the minister responsible revealed this week. Simon Hughes, justice minister, said that the NHS - one of the largest data controllers in the UK - was already due to be made liable to compulsory audits, which today cover only central government departments.

Information Commissioner Office logoThe new requirement could be extended "possibly in due course" to companies carrying out work under contract to NHS bodies, Hughes told the Privacy Laws & Business conference in Cambridge. The Liberal Democrat minister also revealed that he favoured bringing private contractors under the scope of the Freedom of Information Act.

The conference also heard that a tougher European data protection regime - vigorously opposed by the UK - is on track following approval buy the European parliament. The data protection regulation will create a statutory 'right to erasure' and bring companies in the US and other parts of the world under the scope of EU law, is on 'a good track' for agreement next year, Thomas Zerdick, head of reform at the European Commission's data protection unit, said.

However the UK information commissioner, Christopher Graham, warned of the dangers of over-prescriptive regulation. Stressing that he was not speaking on behalf of the UK government, Graham said that by 'over-speccing' the new legislation 'we are in danger of creating something that, because it cannot be done, will be less use than what we have got at the moment'.

The draft regulation, first floated in 2012 to update and strengthen the Data Protection Directive, was adopted almost unanimously by the European Parliament before the May elections. Among changes introduced by the parliament was to increase maximum fines on businesses from 2% to 5% of a company's global annual turnover.

The next stage of the 'trialogue' process will be to reach a consensus with the European council of ministers. This is likely to involve a battle with the UK, which is arguing for the law to be updated by a directive, which would be implemented through national legislation, rather than a regulation, which has immediate force on member states. 'We have momentum and can only go forward,' Zerdick said. 'We hope to have a package ready in 2015.'

Graham agreed that modernisation was essential, but stressed the need to 'engage with partners all around the world. We cannot pull up the drawbridge on the rest of the world, either the European or the UK. We're dealing with a global phenomenon, there need to be global solutions'. 

Hughes told the conference that, despite differences with other member states, the UK remained committed to modernising the law: 'We have been fully involved all the time; we really are keen to get it done.'