GOC fails to meet standards in the PSA’s annual review

An assessment by the Professional Standards Authority shows the optical regulator failed to meet standards for FTP, accuracy of its registers and data security

professional standards authority logo

The General Optical Council (GOC) has failed to meet a number of standards around fitness to practise (FTP) and regulating its registration processes, according to a new report from the Professional Standards Authority (PSA).

The PSA performance review, published last month (June 25), highlights a number of concerns around the length of time to resolve FTP hearings, inaccuracies in the GOC’s registers and serious data security breaches.

The optical regulator met all standards in the previous assessment in 2013/14. In the latest assessment, the GOC met 21 of 24 standards, failing to meet one of the standards for good regulation for registration and two standards for good regulation for FTP.

The findings show a slip in standards, with the GOC ranking sixth out the nine health and care professional regulatory bodies, ahead of only the General Chiropractic Council, the Nursing and Midwifery Council and the beleaguered General Dental Council.

According to the assessment, the PSA identified errors with the GOC’s registers on two separate occasions – concerning failure to update records and confusion about the removal of a suspension from a registrant’s record.

Crucially, the assessment also reported a number of breaches of data security. In two cases the breaches were deemed serious enough to be reported to the Information Commissioners Office (ICO), the authority which rules on breaches.

One of the cases reported how a copy of the ruling from a “particularly sensitive” FTP case was sent to the wrong registrant. A second serious breach involved statements from an on-going FTP investigation being sent to three registrants unconnected with the case. In a less serious instance, not reported to the ICO, password-protected documents were emailed to the wrong legal firm by mistake, followed by a separate email containing the password.

The report states: “We are disappointed to note that four data security breaches took place during this period.” It continues: “In light of the seriousness of the breaches reported to the ICO, the concerns expressed by the ICO and the current absence of written procedures covering the processing of such data…we do not consider that the GOC has met this standard.”

Delays in FTP process

Although the PSA noted good progress in the GOC’s implementation of its enhanced CET scheme, launched January 2013, it notes that the sluggish progress of FTP cases is a matter for concern. The assessors found that the median time from initial complaint to a hearing decision is 104 weeks, while median time from final case examiner decision to final FTP decision is 51 weeks. The report states that such delays “adversely affect all those involved” and can “impact on the quality of the investigation...and on public confidence in the regulator.”

Commenting on the PSA’s findings, chief executive and registrar of the GOC, Samantha Peters, said that the regulator understands the “utmost importance” of speeding up the process.

Ms Peters said: “We have a clear plan in place addressing the areas where we didn’t meet the standards in this year.”

The chief executive added: “Against the backdrop of 48% increase in our caseload, we have not reduced the overall time we take to deal with complaints as we would like to have done. We are determined to reduce this time in the interests of patients and registrants alike.”

Ms Peters also said that measures have been implemented to address the inaccuracies found in the GOC's registers and the breaches of data security found by the assessment.

The regulator has reportedly commissioned an independent audit in response to review registration processes and will include additional incident reporting policies staff training.

Ms Peters said: “New information, security and incident reporting policies will help us to address the small number of data breaches we had last year. In respect of these breaches we quickly identified them and our staff took fast and appropriate action to minimise any risk. The ICO did not take any enforcement action in respect of the breaches. Nonetheless, we remain committed to doing our utmost to prevent such incidents.”

She told OT: “We always look to learn from the PSA Performance Review – both in terms of looking at other regulators’ good practice, and learning from problems that others have had. Other regulators failing standards shows that the issues raised by the PSA are not unique to us, but we are nonetheless striving to meet all of the standards again in the future.”