After HMRC: information governance in the NHS

When HM Revenue and Customs admitted it had lost the data of every child benefit claimant in the country in the post, information governance suddenly became one of the key issues facing the public sector.

The message that NHS organisations must have good accountabilities and policies in place has gone out from the very top of the NHS. But on the ground, IT managers will need good IT to encourage staff abide by them and maintain public confidence.

 
“Lost in the post” was the Guardian’s headline - “25 million at risk after data disks go missing.” Other papers were less charitable.

Words like “fiasco” and “incompetence” featured heavily above the first stories about how HM Revenue and Customs (HMRC) had lost the personal details of every child benefit claimant in the country.

Even the Guardian accused the Revenue of a “fundamental breach of faith between the state and the citizen” when it admitted that that the data had been put onto two, unencrypted disks that had been lost in transit to the National Audit Office.

New laws, tougher penalties

For once, the headline writers were not exaggerating. The HMRC incident caused public outrage and is likely to have far-reaching consequences.

Critics of a national identity card have already predicted that it will be much harder for the government to get a scheme off the ground, and the controversial children’s database, ContactPoint, has been delayed while security is reviewed.

The Commons’ justice committee has backed calls from the Information Commissioner, Richard Thomas, for tougher penalties for organisations and individuals who wilfully flout data protection principles, and the government has given his office new powers. “Good data handling results from a combination of the right processes, people and technologies being in place.”

The Conservative Party has called for the NHS Care Records Service (NHS CRS) to be scrapped in favour of local systems “with interoperability between them,” arguing that this would reduce the amount of health data at risk in any future incident.

NHS chief executive orders action

The Department of Health had already backed Mr Thomas’ calls for tougher penalties against staff who leak or sell confidential information, arguing that these would help to protect the NHS CRS.

However, it has defended the centralised approach being taken to the new records service. NHS chief executive David Nicholson told the Today programme that it had “a level of security built into the system that is way above industry standards.”

This did not stop him writing to NHS chief executives in the middle of December to remind them of the “key responsibilities and accountabilities for securing effective information governance” in the service and to order a review of the security of data in transit.

In his letter, Mr Nicholson reminded the chief executives of strategic health authorities that they are now responsible for delivering the benefits of the National Programme for IT in the NHS and “information governance accountabilities and capabilities [are] key to this.”

He also reminded trust chief executives that they are responsible for information governance in their own organisations, and that all trusts must complete this year’s annual information governance self-assessment, using the NHS information governance toolkit, by the end of March.

Mr Nicholson said he expected boards to assure themselves that their arrangements for data in transit met all existing DH guidelines and policies and “there are robust procedures to make sure they are followed.”

Recognising that this might take some time, he urged them to check their systems and stop any bulk transfers of person identifiable data (PID) unless it was “absolutely needed for patient care” until this was done.

Meanwhile, Mr Nicholson also urged chief executives to check their security policies for laptops and other “portable media” and to make sure they do not hold PID unless it is encrypted. “Any aggregated system of collecting information must be proof against criminals, it must be proof against idiots, it must be proof against those who do not follow the ordinary rules..”

Encryption, Windows Vista and Bitlocker

Encryption is suddenly a hot issue, and it is one with which technology can help. Microsoft’s latest operating system, Vista, comes with a feature called Bitlocker Drive Encryption.

“With Bitlocker, the entire Windows volume is encrypted to deter unauthorised users from trying to break Windows file and system protections,” says Richard Lane from Microsoft’s UK healthcare team.

“That means the data on the disk is secure if it is removed and attached to a different device.” The encryption key can be stored on a laptop chip or USB stick, and IT administrators can manage keys through Microsoft Active Directory.

Processes, people and technology

However, in his blog, Microsoft UK’s lead technology advisor Jerry Fishenden warns that government and public bodies cannot look for purely technological fixes to information governance problems.

“Too much of the debate right now ends up focused on technology as a solution in itself,” he wrote. “There does not seem to me a sufficient recognition of the fact that good data handling results from a combination of the right processes, people and technologies being in place.”

Mr Nicholson’s letter spelled out the importance of good accountabilities and policies. But policies can only go so far.

A US survey by the Ponemon Institute for RedCannon Security last December found that most employees either didn’t know about their company’s data security policies or didn’t care because there were no consequences for breaking them.

Manage identity, manage access

Bill Orme, Microsoft’s Intelligent Application Gateway (IAG) business manager, says there are some basic things that IT managers can do to combat this kind of thinking. For instance, he says it is important to explain the reasoning behind policies, to make them easy to find, and to work with HR departments on training.

But he also says this is an area in which technology has an increasing part to play, by supporting what he calls conditional, context based access to systems and data.

“It is not enough to give somebody a 200 page document of policies on induction day and then rely on that guiding their behaviour, or even providing a legal defence if they do something wrong,” he says. “You need to shepherd them into good practices.”

Microsoft, he adds, has products that can do this – and the NHS will have bought many of them through its Enterprise Agreement. But they need pulling together.

For example, Mr Orme says trusts may well have good protection on the databases that sit within their secure networks, but still be vulnerable if people access them from remote locations, such as their homes, or over non-permitted devices.

The IAG sits at the perimeter of a network and can be used in conjunction with other software (such as Microsoft Identity Lifestyle Manager and Microsoft Rights Management Services) to determine who is attempting to access data, what devices they are using, whether they have the relevant permissions to see, edit or export data.

“For example, the IAG might determine whether someone who is working from home has Bitlocker on their laptop,” he says. “If they don’t, it might stop them downloading a document altogether, or suggest they view it another way.”

Look at the big picture

Further analysis of the HMRC incident revealed some underlying problems with information governance. Most obviously, a decision had been taken to send the entire database to the NAO because it would have cost money to abstract the information that auditors actually wanted.

But it also shows something even more fundamental about how the role of IT is changing and its relationship with organisations and individuals needs to change with it. “Developments like HealthVault show that entirely new models exist in which the user takes control of their data and how and when it is accessed and by whom..”

IT has historically had a back-room role - helping organisations to do what they always did, if hopefully a little more easily and efficiently. Now, it is starting to have a role in delivering policy objectives and changing the way organisations deliver services.

But this makes it more important for policy makers and managers to consider IT early and to build staff and public support for change: not least by ensuring that data is held securely and only used for authorised purposes.

Musing on recent events in his blog, Mr Fishenden calls to mind a paper that Microsoft wrote on Information Privacy and Data Protection in the Public Sector a couple of years ago.

It argues that to manage some of the challenges and tensions being thrown up by IT-enabled change, organisations need to build a technology framework for data governance around a secure infrastructure (which protects against malware and hacking).

Then they need identity and access control, data encryption, document protection and auditing and reporting (to check policies and protocols are being followed). 

More accountability and tighter privacy

It’s probably fair to say that until now, the focus of many NHS IT managers will have been infrastructure. Stories about the loss of laptops and other devices have raised the profile of encryption.

But there is now a need to focus on identity and access control, document handling and auditing and reporting: and to get these working together so that staff can’t intentionally or accidentally work around safeguards.

Meanwhile, in his blog, Mr Fishenden argues that the public sector needs to look at “acquiring and holding less data in the first place” – something with which privacy campaigners would agree.

And in another post, he raises the issue of how “web 2.0” technology may bring about another shift in focus. “Developments like HealthVault [a Microsoft platform to store records and other medical information launched in the US] show that entirely new models exist in which the user takes control of their data and how and when it is accessed and by whom,” he writes.

In the meantime, there is no doubt that HMRC’s data loss and other, well publicised hardware losses and information governance failures have not only raised public awareness of the issue, but on what organisations should be doing to keep their information safe and to ensure it is used properly.

Giving evidence to a Lords committee recently, deputy information commissioner David Smith said it was no longer good enough for organisations or individuals to have PID on unencrypted mobile devices.

If a doctor had unencrypted data on a laptop and lost it, that might count as “knowingly or recklessly” flouting the data protection act, and so attract a fine or worse under the proposals backed by the Justice select committee.

Reacting to the HMRC incident, his boss, Mr Thomas, said it was no longer good enough for public bodies to blame breaches on “junior officials” or a failure to follow policies.

“Any aggregated system of collecting information must be proof against criminals, it must be proof against idiots, it must be proof against those who do not follow the ordinary rules,” he told Today. Anything less could inflict serious damage on institutions and, potentially, the whole e-government project.

Related Articles