Scottish NHS data safeguarded by bizarre questionnaire
Sturgeon ends fishy practices
Scottish Health Secretary Nicola Sturgeon has welcomed new rules to tighten up security around patient records in Scotland. This follows the discovery of confidential details about patients and their treatment in two separate – and derelict - hospital premises.
In July, records turned up at the Law hospital in Carluke, Lanarkshire. In May children's medical records were found in the Strathmartine hospital in Dundee. Each was abandoned at the times of the discoveries. A reporter for Scottish station STV revealed that the data included the names of child psychiatric patients, and their medication and progress.
The recommendations form part of a package put forward by NHS Quality Improvement Scotland (QIS) and include a number of "data security protocols" designed to avoid a repetition of such embarrassing incidents.
According to the recommendations, in future NHS Scotland will not use disused buildings to store any health records or personal identifiable information. It will keep all patient information within its formal health records, destroy redundant information and train staff in data protection and management. It will also provide guidance on managing patient information held by clinical staff who leave their posts.
Sturgeon said: "Although this was an isolated incident, breaches of data security should not be happening at all".
A spokesperson for NHS Scotland added helpfully that the records had not actually been stored: "The buildings in which they were located had been abandoned and records left behind." Whether this makes the incident more or less worrying, we leave to our readers to decide for themselves.
Nor are these new protocols exactly "new". According to the same spokesperson: "They are best practices which hospitals ought to have been adhering to already. In principle, nothing much has changed. This is simply a codification of what was going on before."
This is reassuring news, as is a response from NHS England that Guidance for the NHS in England "already includes those areas identified by Quality Improvement Scotland and can be found in the NHS Information Governance Toolkit".
But this might not be strictly true. The IG Toolkit contains links to hundreds of documents on best practice and good governance. Many of these are expressed in the form of process checklists, rather than direct instructions as to what to do in a given situation.
Thus the summary of IGT requirements 2008-9 contains over 90 helpful audit questions, including: "Does the Organisation have adequate arrangements in place to ensure safe and secure handling of information (eg policies and procedures and access to expert advice on Confidentiality, Data Protection and Information Security)?"
No doubt, if an Organisation does have adequate arrangements in place, data loss Scotland-style would never happen, but it is not at all clear that the Toolkit sets out what such arrangements would look like.
Organisations are also confronted with more obscure questions such as: "Does the Organisation have adequate governance in place to support the current and evolving Information Governance agenda?"
The lesson from Scotland seems to be that NHS bodies need to cut through the high managerial waffle. Instead of checklists asking whether "the organisation has policies in place in respect of pushing buttons of different colours", there are times when a much simpler policy of "do not press the red button" is more apt.
On the evidence to hand, it is not at all clear that NHS England understands this. ®
About 20 years ago I was inspecting the redundant and empty buildings of the Holloway Institution a psychiatric hospital near Virginia Water in Surrey, and in the undercroft we found admissions ledgers from the forties and fifties. There was a resident security guard who collected them up but what he did with them I've no idea.
Surely there needs to be a simple statement of policy that no NHS body of any sort will ever abandon records and that when any practice, department or hospital is closed the disposal of its records becomes the responsibility of the board or comittee or trust or whatever up the food chain.
Is it really that surprising...
that the NHS, top heavy as it is with senior management with little or no direct clinical experience or inclinations, produces such a vast quantity of report generating drivel such as the IG Toolkit? Really? It's not about information security, nor about patient protection, just as the NHS stopped being about servicing the nation's health as soon as bullsh*t speaking senior management types were introduced into the system. Targets breed reports on those targets, those reports generate more reports on the failure to meet those (often ridiculous) targets, failure reports generate more reports and action plans, action plans generate progress reports... The paper trail goes on, the management gravy train continues to roll and the patients are forgotten.
The NHS were informed months before
and did feck all about it in the case of the Dundee site. Perhaps they were using the time to put all the data on an unencrypted hard drive then sell it on Ebay.
Mines the doctor sticking 38% more wages in his jacket for doing less work.