Sunday, August 18, 2013

A reply to Jon Baines' article on NHS DP audits

A reply to http://informationrightsandwrongs.com/2013/08/18/data-protection-audits-in-the-nhs/#more-1142, about the MoJ's consultation on DP audits for the NHS:

Something does have to be done in the NHS, but I am not convinced that another audit would do it.

As you will know, NHS organisations have to do an annual information governance appraisal, via the NHS IG Toolkit (at least they did, til April this year - not sure about now). This reports on FOI, DP, the law of confidence, IT security, etc, etc. The IG manager traditionally spends weeks, if not months, chasing people to say what policies and procedures are in place to tick all of the boxes needed by the audit. This is then sent off to Connecting for Health (which has now been replaced by the mighty Health and Social Care Information Centre, which, as we know from its attitude to the GP Extraction Service, seems to care as much about privacy as PRISM). The results were available publicly for everyone to see.

So, a lengthy audit has always taken place, and despite this, CMP and data breaches are frequent.

The problem, as I see it, is that all the audits in the world cannot change that the NHS, education and the police are the front line organisations that are the biggest and that hold the most information about people and that the workforces have not caught up with the changes in technology and the ability to lose data and for this to be made public with a couple of clicks of a mouse.

However, the NHS is the most troublesome of the three - in education, the data held is sensitive, but mostly not that interesting. Schools and colleges are mostly insular communities and most of the information held (I am not being cavalier about the sensitivies, just giving an impression of the broad sweep of how it is perceived) is not that interesting. Of course, it would be awful if we discovered that Mr Smith's two children had free school meals, revealing something about their finances, but this is not that interesting.

The police, with its interactions with the law all the time, have direct, everyday awareness of privacy (again, not saying that police is perfect - no one is).

The NHS is different. The job is usually saving lives or healing (or the thousands of other jobs that feed into this aim), and the workforce is one of the largest in the world (albeit broken into small units, such as hospitals, etc). Unlike schools, the information is always incredibly sensitive and interesting. Unlike the police, there is little awareness of the law.

No doubt, all NHS staff do DP awareness training but the rate of information sharing between organisations and between parts of huge organisations is massive (in schools, all teachers know each other - in hospitals, you can work in the same building as someone for 5 years and never know them). And although IT has been in the NHS for years, the ability to lose data on a memory stick is simply underestimated. People want to help, to make people better. This is why patient notes are taken home at night. This is why data is shared inappropriately.

This is why I believe that something has to be done about the NHS in a way that it may not need to be done with other types of service providers.

But what? Well, somehow, you have to make sure that about a million people understand something about information that inductions, yearly updates and an IG toolkit have failed to do.

When people realised the MRSA risk, that it became ok to challenge people who did not wash their hands. In the cases of nurses working with lots of beds, they had to sanitise hands literally every couple of minutes. It became acceptable to have a hand hygiene lead, to have posters everywhere, all of which helped change the culture (I do not have rose tinted glasses about the success of this, but it has worked in some measure). A campaign of culture change would be better. So, instead of paying a Band 7 member of staff £40k to tick some boxes, I wonder what each hospital could do with the money to ask a nurse or doctor to take a lead and champion information security.

Whatever the plan is, another box ticking exercise is not what is needed.

No comments: