Originally published on the Microsoft NHS Resource Centre on 17 May 2011
I have been known to play the odd hand of poker, and there's a fairly well known rule amongst seasoned poker players that if you don't know who the sucker at the table is after twenty minutes, then it is you. Players who are either new to the game, or who have too much self-confidence to realise they aren’t very good, are welcome at most poker tables as you can be sure of taking them to the cleaners thanks to this rule.
Unfortunately, the same appears to apply to data security in the NHS, but when the chips are down there is a lot more at stake than beer money and pride.
NHS staff are the weakest link - and you can wave your data goodbye as a result. Case in point? Well, how about the staff member at one London trust who managed to send a fax to the wrong person. It’s easily done, but if the fax in question contains confidential patient data it becomes less of an “Oops” moment and more of a “Bloody hell!” moment.
Likewise, when patients' notes get dumped in a bin on a ward where anyone walking down the ward corridor can see them, as also happened, it's actually a breach not only of hospital data security policy but also of common sense.
The trouble is, to maintain the poker analogy, that such incidents are the equivalent of a low value pair rather than a royal flush. NHS Trusts are under no obligation to declare such 'low level breaches' to the public by way of the annual report or, for that matter, to either the Information Commissioner's Office (ICO) or any strategic health authority. With no money in the pot at risk, (rather than the £500,000 that could be at stake should the ICO ever discover it has teeth and decide to bite a data offender firmly on the financial backside), it should come as little surprise that such incidents appear to not only be fairly commonplace, but fly under the media radar.
I only know about them because a national newspaper made a Freedom of Information request for such specific details and 30 NHS Trusts had the good grace to respond.
Now, from little acorns do big oak trees grow. I suspect that there is a link between these unreported 'low level' breaches and the fact that, when it comes to the more serious ones that do have to be reported, the NHS beats both the private sector and local government hands down.
Every data security policy should come complete with a method of reporting all breach events, no matter how relatively minor they may be. To me, no breach is ever 'minor' but all things are relative, so I will let that one slip for now. The point is, unless a trust takes all breaches seriously, and unless those responsible are made aware of the severity of their mistakes and action taken, be it educational or disciplinary, no lessons will be learnt.
The same suckers will play the same hands and one day find themselves at the centre of a game where a big pot is at stake and the ICO is involved.
Playing the blame game is not always productive, and it's all too easy to dump this one on the rank and file staff rather than management or even the IT department. However, data breaches cannot be seen as a bottom-up exercise when security policy and implementation are invariably top-down. Policy must dictate what is and is not acceptable, and technical implementation must prevent staff from being able to make many of the mistakes that leak data in the first place.