The following is a long blog for me, but then, I didn’t write it. It was published in The Health Service Journal in September of this year. The article is about identity management, and in view of this week’s news (see blogs past and drawings above), I would urge anyone who is passing by (hello) to read it. I have an interest to declare at the end too.*
For your information, the information commissioner’s website is at: www.ico.gov.uk
The speed at which businesses, the government and the public sector are developing electronic record systems is starting to gather pace.
The arguments in favour of new systems are, by now, well rehearsed. They include the idea that electronic records will support safer services, increase efficiency, promote team working and deliver more security, accessibility and convenience for end users – patients, in the case of the NHS.
However, the Information Commissioner’s latest Annual Report suggests that many organisations are finding some of these kinds of argument more compelling than others.
Taken as a whole, it suggests that while many bodies are happy to embrace the increased information sharing, surveillance and targeting that new systems make possible, they are less committed to security and positively ambivalent about openness.
Sadly, I fear that the NHS is following the general trend. It is undoubtedly in the vanguard of what an earlier IC report called the Surveillance Society – defined as a world in which technology is routinely used to track and record people’s activities.
This is not only because it is developing its own care records. It is also because its data tends to be drawn into other projects, such as the children’s database, and because it is enthusiastic about using electronic systems to target services on people and monitor their impact (the algorithm to spot patients at ‘high risk’ of hospital admission is a case in point).
The problem is that there are few opportunities to debate what such systems can legitimately be used for – and even fewer checks on function creep. As Richard Thomas, the IC, notes: ‘The benefits of using personal information are undeniable.
‘But so are the risks for individuals and society where use goes beyond reasonable expectations or where things go wrong. [And] the risks – such as mistaken identity, judgemental profiling – magnify as information is shared ever wider.’
Sooner or later, it is certain, the NHS will be caught up in a major scandal involving records, databases or targeting. Some of its data will turn up somewhere it shouldn’t. Supposedly neutral targeting will turn out to be discriminatory. Some deserving soul will not get the treatment they need because ‘the computer says no.’
And when that happens, questions will be asked about how such systems could have been put in place and there will be reviews and resignations… which is why Mr Thomas argues that the best defences we now have against such abuses are data protection and the self interest of organisations with reputations to lose.
Unfortunately, other parts of his Annual Report suggest that these are not much of a defence, since it covers some ‘frankly horrifying’ but very basic security breaches – data being used on unsecured laptops, left open on an applicant website and dumped in bin bags.
Only one of these incidents is related to the NHS (guess which). But since every NHS IT manager has a fund of stories about staff taping passwords to computers or carrying patient notes around on USB sticks and MP3 players, any of them could be.
These kinds of breaches, and the social engineering lapses covered in another report on The Illegal Trade in Personal Information, happen despite the reputational damage that inevitably occurs when news of them gets out.
They also suggest that the potential for electronic records to deliver better security is not being realised in practice, because the introduction of new systems is not being accompanied by a new culture of security and confidentiality in using them.
Nevertheless, organisations are still willing to plead confidentiality when their own interests are at stake. The Annual Report contains the usual list of bodies – including an NHS trust – that were only too willing to hang on to information that should have been released under freedom of information rules.
Unusually, the IC addresses ‘ministers, permanent secretaries, chairs and chief executives’ directly in the year’s report. It is they, he argues, who must ensure that their organisations ‘exercise the necessary self restraint’ as they help to create a surveillance society and who must ‘ensure that their organisations guarantee safeguards.’
This is an important message, but at the moment I’d say we are in for years of stories about database application and security scandals. As a journalist, I suppose I shouldn’t complain, since they’ll keep me in business.
Managers, though, might like to reflect on Mr Thomas’ point that it won’t be much fun to be caught up in them, and take steps that will leave me and my colleagues writing about something else.
These are the reasons I have great caution about the uses of technology, commercially and publically. It is rarely the technology itself which is the issue, the real problem is invariably the people who use it, us.
* The article was written by my partner, Lyn Whitfield.
23rd November 2007