Inside e-health uncovers some mixed messages about information governance

The government promised tough new rules to secure personal data in the aftermath of last November’s HMRC debacle. But now it is sending out mixed messages about information governance – and risking public trust in the process, argues Jon Hoeksma.

Information governance - and with it public trust that the government and its agents will strain every sinew to safeguard their data – is arguably the most important issue now facing efforts to digitise the health service. So it is unfortunate that the government is sending out some very mixed messages on the subject.

New laws – or not

Clause 76 of the Criminal Justice and Immigration Bill, which is currently going through Parliament, would enable courts to impose a custodial sentence on people convicted of existing offences of buying or selling personal data that currently carry lesser penalties.

The measures were put forward to stamp on the growing market in illegally accessed personal data. However, newspaper reports indicate the government may be about to water down the draft legislation.

If this does happen, it could have far-reaching consequences for public trust in shared electronic patient records. While the proposed legislation would not stop the sale or loss of data, it would send a strong message about how seriously the state takes data protection.

“While the proposed legislation would not stop the sale or loss of data, it would send a strong message about how seriously the state takes data protection.”

HMRC: a watershed for public confidence

 New electronic record systems in the NHS include access controls and audit trails, but they still have greater potential for misuse than the old paper records they replace, simply because more people will be able to access more of them from more places. Already there have been reported incidents of misuse, including staff inappropriately viewing celebrities’ health records.

Until the HMRC data disaster of last November, the prevailing Whitehall assumption was that the public would still welcome – or at least tolerate - the introduction of electronic records and data sharing between different departments in return for better services.

HMRC’s loss of 25 million citizens’ records on two, unsecured disks en route for the National Audit Office - and the lack of governenance capability or culture it reavealed - was a watershed; one that left this rather complacent view dead in the water.

One early casualty of the HMRC fiasco was the temporary shelving of the government’s strategy for sharing citizens' personal data between departments. But as data sharing is essential to public service modernisation, the strategy will not be abandoned.

However, the subsequent spate of data loss stories - including a growing number affecting the NHS - have further eroded confidence. Even when the stories have shown that effective security mechanisms have been operating – as in the case of the loss of heavily encrypted CDs containing child health details in London - they have served to fan concerns.

Promise action: pull back in the face of lobbying

In the immediate aftermath of the HMRC loss, therefore, it looked as though it would be plain sailing for Information Commissioner Richard Thomas and privacy campaigners to get tough new measures to penalise data breaches enacted.

In particular, the government promised new penalites for the theft of sale of personal data to reporters, private investigators and others. However, there has been a lobbying campaign by elements of the national media against them – which is why they may now be dropped from the draft bill.

Mr Thomas and the Department of Health’s National Information Governance Board chair Harry Cayton have called for the proposed new penalties to be preserved. Mr Thomas says they are vital if the public is to have confidence the government is taking the full measures necessary to prevent data loss.

Mr Cayton argues they are vital for ensuring public trust and the future success of electronic patient records. NHS bosses who, thanks to the National Programme for IT in the NHS, have thought long and hard about the governance of electronic patient records, are reported to agree.

“The NHS would be well served by becoming the exemplar of information governnace within the public sector.”

Difficult times for electronic records

For the NHS, the uphill struggle to secure public confidence must be galling when, in areas like the summary care record (SCR), it has put in exhaustive measures to protect data and privacy.

Nevertheless, the Department of Health was alive to the dangers that the HMRC incident presented. In the imemdiate aftermath last December, NHS chief executive David Nicholson ordered every health service organisation to immediately review and tighten their information governance and data transfer arrangements.

Since then, the once obscure subject of information governance has remained high on the agenda and is likely to feature heavily in the Swindells review of NHS Informatics, now due this summer.

The NHS would be well served by becoming the exemplar of information governnace within the public sector. On the thorny issues surrounding consent and confidentiality in relation to SCRs it has already shown that it can meet complex security requirements and modify plans based on public attitudes.

The DH needs to show similar transparency over all aspects of information governance. The key challenge will be how to ensure clear and effective control of a shared clinical record, one used by and contributed to by multiple individuals. Who is responsible for such a shared record?
And who will have access to its data and what will they be able to do with it - whether they are medical professionals caring for a patient or medical researchers or even, in special circumstances, NHS counter fraud services, the police or the security services?

While all that is debated, one thing is clear. The government needs to get its message about information governance straight, if the public is to have any trust in the e-governance project at all.

About the author: Jon Hoeksma is a journalist with extensive experience of writing about healthcare and IT for UK newspapers and specialist publications. He is also co-founder of the e-health-insider industry portal and is spin-offs covering primary care and Europe.