FOIMan suggests that limited assurance for records management at Barts Health NHS Trust means we can have limited faith in records management across the country.
One of the Information Commissioner’s powers under the Data Protection Act is to carry out audits of organisations that process personal data. So far these have all been done on a consensual basis – the ICO does have the power to carry out compulsory audits on government departments (brought in after the infamous HMRC data loss), but has not yet used this. Executive reports of these audits are published on the ICO website, unless the body concerned asks for it not to be. In which case, you can draw your own conclusions.
I noted yesterday (thanks to a tweet from Jon Baines) that the latest recipient of an ICO audit is Barts NHS Trust. Now I’ve been concerned about Barts’ security arrangements since a private detective and his psychotic arch-enemy were allowed to access Barts’ hospital roof apparently without difficulty a couple of years ago, but leaving that aside, I was curious about the outcome of their audit.
Now, data protection is a large and complex subject, as anyone who’s ever studied for a BCS (ISEB) or other qualification in the subject will know. So whenever the ICO is planning an audit, it agrees with the subject organisation what areas it should look at. Barts chose information security and records management.
Despite stray detectives and criminal masterminds, you’ll be relieved to hear that Barts performed relatively well on the information security aspect of the audit, receiving “reasonable assurance”. This will have looked at access to IT systems, encryption of portable media, and other measures designed to prevent accidental loss of, or damage to, personal data.
But it was records management that attracted limited assurance (the second lowest grading in the ICO’s assessment scheme). This is concerning. Not just for Barts (though I’m sure they do take this outcome seriously), but for everyone else. Barts has a pretty good reputation for records management. I’m not sure about the situation now, but for many years it actually had records managers (widely respected ones, even outside the health sector), which is certainly not the case universally in hospitals and NHS Trusts across the UK. So if Barts’ records management is considered not up to scratch then I doubt very much that most other NHS Trusts (or indeed local authorities, government agencies, schools, private companies for that matter) would fare any better under ICO scrutiny.
I’m personally sceptical of the desirability, let alone feasibility, of “perfect” records management. What’s important is that organisations can function and protect their most valuable and sensitive information. But it is fair to say that few in the public or private sector give this the priority it deserves. So unless you actually want some ammunition to make the case for more investment in this area, it may be a good idea to avoid asking the Information Commissioner to look at your records management.