Feeds

Scottish NHS data safeguarded by bizarre questionnaire

Sturgeon ends fishy practices

5 things you didn’t know about cloud backup

Scottish Health Secretary Nicola Sturgeon has welcomed new rules to tighten up security around patient records in Scotland. This follows the discovery of confidential details about patients and their treatment in two separate – and derelict - hospital premises.

In July, records turned up at the Law hospital in Carluke, Lanarkshire. In May children's medical records were found in the Strathmartine hospital in Dundee. Each was abandoned at the times of the discoveries. A reporter for Scottish station STV revealed that the data included the names of child psychiatric patients, and their medication and progress.

The recommendations form part of a package put forward by NHS Quality Improvement Scotland (QIS) and include a number of "data security protocols" designed to avoid a repetition of such embarrassing incidents.

According to the recommendations, in future NHS Scotland will not use disused buildings to store any health records or personal identifiable information. It will keep all patient information within its formal health records, destroy redundant information and train staff in data protection and management. It will also provide guidance on managing patient information held by clinical staff who leave their posts.

Sturgeon said: "Although this was an isolated incident, breaches of data security should not be happening at all".

A spokesperson for NHS Scotland added helpfully that the records had not actually been stored: "The buildings in which they were located had been abandoned and records left behind." Whether this makes the incident more or less worrying, we leave to our readers to decide for themselves.

Nor are these new protocols exactly "new". According to the same spokesperson: "They are best practices which hospitals ought to have been adhering to already. In principle, nothing much has changed. This is simply a codification of what was going on before."

This is reassuring news, as is a response from NHS England that Guidance for the NHS in England "already includes those areas identified by Quality Improvement Scotland and can be found in the NHS Information Governance Toolkit".

But this might not be strictly true. The IG Toolkit contains links to hundreds of documents on best practice and good governance. Many of these are expressed in the form of process checklists, rather than direct instructions as to what to do in a given situation.

Thus the summary of IGT requirements 2008-9 contains over 90 helpful audit questions, including: "Does the Organisation have adequate arrangements in place to ensure safe and secure handling of information (eg policies and procedures and access to expert advice on Confidentiality, Data Protection and Information Security)?"

No doubt, if an Organisation does have adequate arrangements in place, data loss Scotland-style would never happen, but it is not at all clear that the Toolkit sets out what such arrangements would look like.

Organisations are also confronted with more obscure questions such as: "Does the Organisation have adequate governance in place to support the current and evolving Information Governance agenda?"

The lesson from Scotland seems to be that NHS bodies need to cut through the high managerial waffle. Instead of checklists asking whether "the organisation has policies in place in respect of pushing buttons of different colours", there are times when a much simpler policy of "do not press the red button" is more apt.

On the evidence to hand, it is not at all clear that NHS England understands this. ®

The essential guide to IT transformation

More from The Register

next story
Britain's housing crisis: What are we going to do about it?
Rent control: Better than bombs at destroying housing
Top beak: UK privacy law may be reconsidered because of social media
Rise of Twitter etc creates 'enormous challenges'
GCHQ protesters stick it to British spooks ... by drinking urine
Activists told NOT to snap pics of staff at the concrete doughnut
What do you mean, I have to POST a PHYSICAL CHEQUE to get my gun licence?
Stop bitching about firearms fees - we need computerisation
Ex US cybersecurity czar guilty in child sex abuse website case
Health and Human Services IT security chief headed online to share vile images
We need less U.S. in our WWW – Euro digital chief Steelie Neelie
EC moves to shift status quo at Internet Governance Forum
Oz biz regulator discovers shared servers in EPIC FACEPALM
'Not aware' that one IP can hold more than one Website
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.