Scottish NHS data safeguarded by bizarre questionnaire

Scottish Health Secretary Nicola Sturgeon has welcomed new rules to tighten up security around patient records in Scotland. This follows the discovery of confidential details about patients and their treatment in two separate – and derelict - hospital premises.

In July, records turned up at the Law hospital in Carluke, Lanarkshire. In May children's medical records were found in the Strathmartine hospital in Dundee. Each was abandoned at the times of the discoveries. A reporter for Scottish station STV revealed that the data included the names of child psychiatric patients, and their medication and progress.

The recommendations form part of a package put forward by NHS Quality Improvement Scotland (QIS) and include a number of "data security protocols" designed to avoid a repetition of such embarrassing incidents.

According to the recommendations, in future NHS Scotland will not use disused buildings to store any health records or personal identifiable information. It will keep all patient information within its formal health records, destroy redundant information and train staff in data protection and management. It will also provide guidance on managing patient information held by clinical staff who leave their posts.

Sturgeon said: "Although this was an isolated incident, breaches of data security should not be happening at all".

A spokesperson for NHS Scotland added helpfully that the records had not actually been stored: "The buildings in which they were located had been abandoned and records left behind." Whether this makes the incident more or less worrying, we leave to our readers to decide for themselves.

Nor are these new protocols exactly "new". According to the same spokesperson: "They are best practices which hospitals ought to have been adhering to already. In principle, nothing much has changed. This is simply a codification of what was going on before."

This is reassuring news, as is a response from NHS England that Guidance for the NHS in England "already includes those areas identified by Quality Improvement Scotland and can be found in the NHS Information Governance Toolkit".

But this might not be strictly true. The IG Toolkit contains links to hundreds of documents on best practice and good governance. Many of these are expressed in the form of process checklists, rather than direct instructions as to what to do in a given situation.

Thus the summary of IGT requirements 2008-9 contains over 90 helpful audit questions, including: "Does the Organisation have adequate arrangements in place to ensure safe and secure handling of information (eg policies and procedures and access to expert advice on Confidentiality, Data Protection and Information Security)?"

No doubt, if an Organisation does have adequate arrangements in place, data loss Scotland-style would never happen, but it is not at all clear that the Toolkit sets out what such arrangements would look like.

Organisations are also confronted with more obscure questions such as: "Does the Organisation have adequate governance in place to support the current and evolving Information Governance agenda?"

The lesson from Scotland seems to be that NHS bodies need to cut through the high managerial waffle. Instead of checklists asking whether "the organisation has policies in place in respect of pushing buttons of different colours", there are times when a much simpler policy of "do not press the red button" is more apt.

On the evidence to hand, it is not at all clear that NHS England understands this. ®