Over £1 million spent by NHS trusts on GDPR preparation, FOI reveals
- 16 April 2018
Freedom of Information (FOI) requests sent to NHS trusts in England reveal that more than £1 million has been spent preparing for the General Data Protection Regulation (GDPR).
Parliament Street issued freedom of information (FOI) requests in February 2018 asking trusts to disclose their total GDPR expenditure to date, projected expenditure for the year ahead as well as details about how the money was being put to use.
Within its results, Luton and Dunstable proved to have invested the most in GDPR implementation, having set aside £111,200 for staff support and training. This was followed by Lincolnshire Partnership NHS Foundation Trust, which has spent £106,915, including £1,755 on “specialist training”.
South Central Ambulance Service and St George’s University Hospitals both set aside £95,000 for GDPR respectively. This was followed by Sheffield Teaching Hospitals (£78,000) and Dorset HealthCare University NHS Foundation Trust, which reported to have spent £70,000 on a “GDPR specialist” over a course of six months, supported by staff training.
Meanwhile, the Christie NHS Foundation Trust spent £54,000 on an information security management system and consultancy resources.
Other trusts have been more thrifty in regards to their GDPR spend, due to budgetary constraints or otherwise.
Derby Teaching Hospitals, for example, reported to have allocated just £500 toward preparing for the new regulations.
Alder Hey Children’s NHS Foundation Trust said it had spent £553 on practitioner training, whereas Cheshire & Wirral Partnership said it had spent £662 on training along with an exam.
Goodmayes Hospital, part of North East London NHS Foundation Trust, spent £500 on GDPR preparation, with an extra £70 a month going towards “a secure email system for sending patient records.”
GDPR introduces tighter measures around citizen data privacy, with organisations who fail to comply facing heavy fines.
In total, Parliament Street’s report showed that £1,076,549 had been spent by NHS trusts to ensure data security practises are up-to-scratch before the 25 May deadline.
However, only 46 trusts replied to the think tank’s FOI request, representing just over a fifth of all NHS trusts in England.
While this suggests that the total spend on GDPR could be considerably higher, research from Digital Health Intelligence conducted in 2017 found that only around half of NHS trusts in England have an implementation plan for the new regulation.
To increase these numbers, Parliament Street suggested that a national GDPR implementation strategy be established by the NHS that brings together CEOs and CIOS, in order to ensure consistency between trusts.
It also called on the government to provide “dedicated legal advice in the form of solicitors and specialist counsel to enable all trusts to gain free consultancy on implementation.”
8 Comments
great stuff
You can download all the documentation needed from CertDocKits.com
Most companies are making too much fuss on GDPR. Handled sensibly, it needs little work to ensure that they comply. The problem with most health service it systems is that they are written by American companies, who chrage the earth for any minor changes. Typical of most government departments. I bet that the Inland Revenue does not comply. I have had no request from them to give my permission for them to email me.
Im not sure if you know a lot about GDPR or a little. The reason I suspect noone will get a consent email from HMRC is because ‘legitimate business’ is the lawful basis of them processing your data and informing you about your account.
Properly implenting GDPR is important in today’s letigious culture. I’m waiting for the phone calls ‘have you been involved in a consent violation’ aka you got an email from a company to whom you didn’t consent explicitly. (to which I’ll reply, how did you get my number!!)
FOI does reveal some interesting results. The NHS see http://www.nhsconfed.org/resources/key-statistics-on-the-nhs is a large entity and £1M on GDPR suggests that each NHS body must already be ISO 27001 (or similar) compliant else there is a large problem lingering. With ISO 27001 in place additional spending for GDPR compliance would infer to me that spend is required for DPOs to verify compliance and bridge gaps likely to be found more in the digital arena than with internal training. That said GDPR compliance is a full of gotchas’ and any fine is worth avoiding with some investment to ensure that our NHS looks after our data correctly would be a good thing.
Much of the NHS uses SQL Server Data Warehouses and the automation of these, including GDPR compliant documentation is possible with automation tools such as TimeXtender which will can make the NHS savings and compliant. Oddly their is still a reluctance to adopt, even though there is a shortage of DBA’s and the cost of these is therefore increasing. No different to medical staff shortages.
GDPR could actually create negative spend if the right solutions are deployed and associated benefits identified as such. Automation is key to compliance and efficiency.
It’s generally acknowledged that a typical NHS Trust will have in excess of 1,000 IT systems that might be processing patient data – The majority of these are the so called Feral or Shadow IT systems created “under the radar” because the corporate systems can’t meet users needs.
I challenge any NHS Trust to demonstrate they can identify all such systems, let alone which patients data they may store?
This situation means that organsations are probably unable to comply with current regulations let alone the GDPR.
Think about whether you organisation could answer a letter like this one here https://www.linkedin.com/pulse/nightmare-letter-subject-access-request-under-gdpr-karbaliotis/ – In my wickeder moments I toy with sending a version to those NHS organsiations that I know have some of my personal data and waiting for the feathers to fly.
Given this the spending on preparation seems woefully inadequate
I think the ability to confidently respond to such a letter should be taken as a “GDPR compliant” marker. I’m certainly using that letter as a “worklist” in my organisation.
Wonder how much they spend on answering FOI’s…
Comments are closed.