Dangers from Within? Looking Inwards at the Role of Maladministration as the Leading Cause of Health Data Breaches in the UK
Despite the continuing rise of data breaches in the United Kingdom’s health sector there remains little evidence or understanding of the key causal factors leading to the misuse of health data and therefore uncertainty remains as to the best means of prevention and mitigation. Furthermore, in light of the forthcoming General Data Protection Regulation, the stakes are higher and pressure will continue to increase for organisations to adopt more robust approaches to information governance. This chapter builds upon the authors’ 2014 report commissioned by the United Kingdom’s Nuffield Council on Bioethics and Wellcome Trust’s Expert Advisory Group on Data Access, which uncovered evidence of harm from the processing of health and biomedical data. One of the review’s key findings was identifying maladministration (characterised as the epitome of poor information governance practices) as the number one cause for data breach incidents. The chapter uses a case study approach to extend the work and provide novel analysis of maladministration and its role as a leading cause of data breaches. Through these analyses we examine the extent of avoidability of such incidents and the crucial role of good governance in the prevention of data breaches. The findings suggest a refocus of attention on insider behaviours is required, as opposed to, but not excluding, the dominant conceptualisations of data misuse characterised by more publicised (and sensationalised) incidents involving third-party hackers.
KeywordsPrivacy Information governance Data breach Data security Patient data Harm
The United Kingdom’s (‘UK’) health sector continues to make headlines over the mismanagement of personal health data.1 Between January and September 2015 there were 642 data breaches reported by UK health organisations (e.g. the National Health Service (‘NHS’), Ambulance Trusts etc.) to the Information Commissioner’s Office (‘ICO’), a figure more than four times than that reported by local authorities – the sector with second highest number of data breaches (154) in the same period.2 Between 2012 and 2015 data breaches cost health care organisations (and thus tax payers) in the UK at least £1.43 million as a result of ICO monetary penalties served3 (and this does not account for other costs – financial or otherwise – that are likely to arise in the wake of a data breach). Globally, the costs associated with data breaches vary across sectors, but those arising in the health context present the highest costs, up to $363 USD per record lost or stolen versus the $154 average cost across all sectors.4 Overall, data breaches in the UK’s health sector have increased steadily, most recently reported in December 2015 with a 44% rise in incidents from Q1 to Q2 of 2015 (193 incidents in Q1 to 278 in Q2).5 These trends indicate that the achievement of good standards of information governance remains elusive in the health context but also carries a flavour of inevitability – that such incidents cannot entirely be prevented – and that this (inevitable?) risk increases with the expanding collection, use and linkage of even seemingly ‘anonymised’ data.6 The UK’s health sector want and need to know the underlying factors behind the growing incidence of data breaches and what, if anything, can be done about it.
Any personal data that relate to the physical or mental health of an individual, or to the provision of health services to the individual. This includes biomedical data, gathered from any source (e.g. from blood samples, in vitro diagnostic tests) that speaks to the actual physiological or biomedical state of the individual.8
Within the UK, such data are typically processed by the NHS but also increasingly by private sector organisations who are tasked with carrying out public functions under outsourcing contracts. Indeed, several incidents located in the evidence review captured precisely this working arrangement. However, it is also the case that data (including health and biomedical data) across all sectors are linked and shared for a variety of purposes, such as for improvements to public service delivery or for research.9
While there is no shortage of data breach statistics and there are ongoing and well developed discussions surrounding the technical risks of processing personal data, no comprehensive evidence base exists that clarifies the full spectrum of harms and impacts that good governance ought to prevent. The report provided a novel evidence base that triangulated different causes for the abuse of health and biomedical data, with different types of data abuse and the resulting harm and impact caused to individuals, organisations and broader public interests. This chapter builds upon the findings of this report and focuses on the crucial question: What, if anything, can be done about the rising incidence of data breach incidents that result from poor governance practice in the UK’s health sector?
failure to take any action when necessary to prevent an abuse/misuse of data;
failure to follow correct procedures or the law despite the provision of guidance and existence of standard procedures and protocols;
inadequate consultation prior to taking action;
lack of clear mandates on proper standard procedures and protocol; or
the adherence to outdated standards and procedures that put data at risk.
However, this chapter also explores the potential relationship between maladministration on the one hand and the intervening factor of human error on the other, in order to highlight where action can be taken to address the rising incidence of data breaches. In each of the examples of above, and in each incident of maladministration identified in our review, it was also reasonable to assume a confluence of factors contributed to the misuse of data, especially in consideration of the unavoidability of human error in combination with an already inconsistent culture of information governance. While not necessarily interdependent, the evidence demonstrated that the presence of one was likely to exacerbate the other into a scenario ripe for data misuse to occur.
The evidence demonstrated that unintentional behaviours were far more likely to give rise to data incidents and these behaviours were categorised as either ‘maladministration’ or ‘human error’. The number one cause identified for the abuse of health and biomedical data was maladministration, a broad category devised to capture incidents which reflected ‘the epitome of poor information governance’.10 However, in this chapter we seeks to unpack this broad categorisation, and rather than operate on the ‘either or’ basis prescribed by the evidence review’s methodology, we consider how factors such as human error can wreak further havoc where information governance is weak. Therefore, we argue, both contribute to the misuse and abuse of data. Further, there is so much overlap between the two, that it is difficult to attribute a breach clearly to one of these or the other. As will be explored in several case studies below, we will consider how multiple governance lapses, also gave room for human error to intervene and causally contribute to the occurrence of a data incident.
While it is outwith the scope of this chapter to offer more robust analysis as to which models of good governance should be adopted,11 the forthcoming discussion provides an important first step in exploring maladministration as reflected in actual data incidents, in order to shed light on the extent to which good information governance could have prevented, or mitigated, incidents of data abuse/misuse and therefore lessened the contributory effects of intervening human error and mistake. This analysis can contribute to a new understanding and estimation of the impact of good information governance on mitigating risks in terms of overall numbers of data incidents, the scope and pervasiveness of resulting harm and impact, and any cost-savings that may be accrued to specific organisations, sectors or indeed society as a whole.
The chapter begins with a brief overview of the research undertaken for the NCOB and Wellcome Trust’s EAGDA, explaining the key parameters of the evidence review and therefore how it will be used to advance arguments presented in this chapter. The chapter moves to a discussion of the report’s key findings and its implications for information governance in the UK’s health sector. The cause and effect of data breaches will be considered, identifying the crucial role of unintentional but careless or negligent behaviours of insiders that contribute to maladministration and the consequent occurrence of health data being compromised. We go beyond the report’s initial typology of causes for the abuse of health data by unpacking the number one identified cause ‘maladministration’. We provide new insight into this broad category and explore the relationship between poor governance practices and the intervening factor of human error, and how these may combine or work in tandem to facilitate the misuse of data. As maladministration is characterised by the information governance practices of a particular organisation, actual incidents located in the evidence review which involved harm as a result of maladministration will be considered. These case studies of maladministration are examined to better understand the nature of such breaches, any known impact as a result and the apparent causes or contributing factors (such as human error) to the case. This analysis crucially reveals where good governance measures could have intervened and potentially prevented or mitigated the impact or harm of the incident. The chapter concludes by considering the impact of good information governance practices on mitigating risks in terms of incidence of harm, the severity of harm and impact, the numbers harmed/impacted by a data incident and any potential costs saved to organisations, sectors or society as a result.
8.2 An Interdisciplinary Study into the Abuse of Health and Biomedical Data in the UK
In early 2014, our interdisciplinary team won a competitive bid to conduct an evidence review of the harms resulting from uses of health and biomedical data for the NCOB and Wellcome Trust’s EAGDA.12 Our team comprised legal academics at the Mason Institute in the University of Edinburgh’s School of Law (involved in the Farr Institute Scotland and the Administrative Data Research Centre Scotland13) and those from social psychology and data science from the Farr Institute CIPHER based at Swansea University Medical School.14 The brief for the review was wide and the commissioned report was considered as a scoping exercise into the underexplored area of ‘harms’ in context of information governance and specifically the use of health and biomedical data. The focus was UK-centric but would incorporate evidence from further afield (namely the European Union (‘EU’) and United States (‘US’) where appropriate methodologically. Most pertinent to the topic of this chapter was our investigation into the nature and significance of any conditions leading to the misuse of data.
the legal or ‘hard’ evidence strand that would present detailed and objective facts about specific incidents;
the grey literature or ‘soft’ evidence strand that would provide a more subjective account from the data subject perspective, but the amount of detail would depend on the source (e.g. broadsheet vs. tabloid) and would report on a single or on several incidents; and
the social media strand that would present a potential mixture of both objective and subjective evidence with an international coverage.
While a full overview of our methodology may be found in the report, it is important to clarify the key limitations and criteria of the evidence produced which in turn shape the contribution being made in this chapter.
8.2.1 Methodological Limitations
First, the review was, a stated previously, UK-centric which was realistic in light of time constraints. The research is therefore best understood as an initial scoping exercise and does not claim to be exhaustive. Second, and also due to time constraints, the review of grey literature was limited to the newspapers chosen and was narrative in nature, in practice excluding evidence from other newspapers, trade magazines and peer-reviewed journal articles. Third, the categories devised were sometimes overly specific due to the nature of evidence presented from the hard evidence strand but at other times quite broad due to the lack of detail in the evidence identified (particularly prevalent in the soft evidence strand). The broad categories chosen, in particular for distinguishing between different ‘causes’, permitted a level of flexibility in comparison across the research strands. For the purposes of this chapter this is especially important to keep in mind given that maladministration is a case in point. Here we provide new analysis which unpacks this category further, outwith the constraints of the evidence review’s methodology, considering the relationship between maladministration and other causal factors identified in the review, namely, human error.
Fourth, in adopting a merged evidence approach, far fewer matches were identified than was likely the case in comparing objective statements of fact from the hard evidence with subjective, non-regulatory language used in the soft evidence and social media strands. Again, we provide new analysis here which will combine the international evidence gathered from the social media strand, with the UK evidence (from the soft and hard evidence strands) on incidents involving both human error and maladministration, in order to explore the interrelationship between these factors and prevalence of both in the high incidence of data misuse.
Fifth, proxy search terms were used to find ‘harm’ as it was apparent from initial searches that this would not lead us to the evidence; therefore, the evidence we rely on here may provide an incomplete picture given the varied terminology and colloquialisms used to discuss data more generally. For example, in terms of the known methodological limitations of the search criteria and strands, the conventional term ‘breach’ was chosen pragmatically, as this was understood as the term used to refer to such incidents.15 However on a conceptual level, and in the report, we spoke of the ‘abuse’ and ‘misuse’ of data rather than using the limiting terminology of ‘data breaches’. This would emphasise the broader spectrum of incidents caused by both intentional and unintentional behaviours (whereas the term ‘breach’ implies use of data and a particular type of data incident) and also encapsulate more fully the commissioned scope for the review which was also to capture any incidents of harm arising out of a failure to use data or the ‘non-use’ of data.16
irrespective of whether data were digitised or in paper-based form;
incidents that involved either intentional or unintentional abuse of health data; and
represented harm/impact arising from data use (as conceptualised legally or in the wider psychosocial sense).19
In the remainder of the chapter we focus on the nature and significance of maladministration in precipitating the abuse and misuse of health and biomedical data and how the intervening factor of human error can exacerbate any lapses in governance. First we consider the term ‘maladministration’ and how this relates to the obligations organisations have as to data within their control.
8.3 Maladministration in a Broader Context
The term ‘maladministration’ is not commonly used (if at all) in the data protection context. In considering the broader context of its usage both within the UK and EU, clear parallels are found between what are considered failed information governance practices and a concept which implies the general failure of an organisation to fulfil their obligations to e.g. the public at large, specific groups of individuals or even individuals as consumers of a particular good or service. In the UK (and EU generally) maladministration is a term used in relation to ombudsmen who investigate independently abuses of public officials and bodies. As pointed out earlier, this term conceptualises the multiple ways in which a public official and/or body may neglect or violate their duties.
Rudeness (though that is a matter of degree);
Unwillingness to treat the complainant as a person with rights;
Refusal to answer reasonable questions;
Neglecting to inform a complainant on request of his or her rights or entitlement;
Knowingly giving advice which is misleading or inadequate;
Ignoring valid advice or overruling considerations which would produce an uncomfortable result for the overruler;
Offering no redress or manifestly disproportionate redress;
Showing bias whether because of colour, sex, or any other grounds;
Omission to notify those who thereby lose a right of appeal;
Refusal to inform adequately of the right of appeal;
Failure by management to monitor compliance with adequate procedures;
Cavalier disregard of guidance which is intended to be followed in the interest of equitable treatment of those who use a service;
Failure to mitigate the effects of rigid adherence to the letter of the law where that produces manifestly inequitable treatment.21
In the EU context, maladministration is encapsulated in a simpler iteration of the concept:
abuse of power
failure to reply
refusal of information
While the UK’s more complex definition of maladministration can be contrasted to simpler definitions adopted within the EU, what both offer is an illustration of the breadth of responsibility of public bodies and officials in carrying out their duties, and the standards to which their actions (and inactions) will be assessed. Concomitantly this establishes the numerous ways in which things can ‘go wrong’ within an organisation. In the context of information governance and in light of the findings of the evidence review, data controllers (both public and private) hold broad obligations to individual data subjects under data protection law, and as to public bodies further obligations stand in regards to the common law duty of confidentiality and human rights. Regardless of the type of data controller at issue (i.e. either public or private sector) all are obliged under an implicit if not explicit duty to prevent and mitigate any harm that may arise as a result of their processing of data. There are a variety of ways in which data controllers’ actions and inactions can lead to harm and impact to individuals, their organisation and broader public interests, effects that are both tangible and intangible but nevertheless detrimental. Equally, there are many ways in which data controllers can fulfil their duties to safeguard health and biomedical data under their custodianship.
The evidence of maladministration identified in the review demonstrates multiple opportunities where good governance could have intervened. Maladministration is not an affliction but something data controllers can act upon – and this in fact is crucial. Especially if we consider the ways human error is more likely to intervene at moments of governance lapses and exacerbate the possibility of a data incident occurring, the implications of maladministration are far reaching. Below we provide new analysis on the key findings of the evidence review – that unintentional behaviours are far more prevalent in the occurrence of data incidents – and therefore begin to explore the causal role of maladministration and intervening human error in perpetuating such incidents in the first place.
8.4 Triangulating Cause and Effect
The significance of the review lies in the evidence gathered on the causes and effects of abusing data – this evidence is crucial to developing more effective preventative and post-incident governance measures. The report provided a systematic collation of the evidence into novel typologies of abuse types, causes for abuse and of harm and impact.23 The focus in this chapter is on the underlying causes of abuse, and notably, maladministration and its interrelationship with human error. The typologies produced for the review illustrate a far broader range of circumstances that give rise to the abuse of health and biomedical data outwith current understandings which offer a narrower conception of cause and effect.24
A key finding of the review, which we focus on here, is that data practices attributed maladministration were the most prevalent cause of incidents identified. While we focussed on UK incidents in the evidence review, we have now expanded our analysis to include findings from the social media strand which provided international coverage as well. This has resulted in an adjusted count of 153 total incidents (with overlapping incidents deducted), of which 81 (53%) were caused by maladministration. (If we were to look at human error too, a further 12% of breaches (19 incidents) would be accounted for.) This represents a far larger number than originally identified.25 If we consider this in combination with the findings on abuse types (i.e. the nature of data incidents), the evidence indicates all the more strongly that data incidents attributed to unintentional behaviours of ‘insiders’ (including careless or negligent conduct) are more frequent.
Below we examine the prevalence of unintentional or negligent (as opposed to intentional) behaviours in the findings in order to shed new light on the potential interrelationship between maladministration and human error.
8.4.1 Careless and Negligent Abuse of Data
The evidence revealed new insights into the nature of the abuse of health and biomedical data including that (i) a far broader spectrum of abuse types are implicated and (ii) most abuse relates to negligent or careless behaviour. Many infamous reports of data incidents involve malicious and intentionally harmful behaviours, evoking images of nefarious characters circumventing firewalls to obtain the sensitive data of individuals.26 These images can dominate discussions of data incidents and consequently steer and focus organisational strategies of prevention outwards to potential interference by third parties – indeed, in the UK, data controllers are advised to be vigilant and prepared for ‘motivated intruders’ and ‘hackers’.27 While such incidents (which we categorised as data ‘theft’ in our report given the intent of third parties breaching a particular computer system) were indeed identified in the evidence – albeit far more prevalent in the US28 – the findings show that more often than not, lapses in technical security or procedural barriers were circumvented by far less malicious characters.
Communicated sensitive personal data of patients, including HIV positive status of one and the planned abortion of another, to the press31;
GP receptionist accessed sensitive health data of ex-husband’s new wife on fifteen separate occasions and used this information to harass the new wife32;
Uploaded sensitive data of employees to a publicly accessible website without noticing for nineteen+ weeks33;
Sent sensitive health data of patients to the wrong fax number on over forty-five occasions34;
Eight patient letters were emailed to the wrong recipients and did not notify intended recipient (patient) about the incident.35
Incidents were considered negligent or unintentional if arising out of human error or maladministration. If we now include the evidence identified by the social media strand as ‘unintentional’ (evidence which is international in coverage and not limited to the UK), an additional thirty-nine incidents can be attributed to either maladministration or human error (30 and 9 respectively). We can see here a proximity between poor governance practices and human error, where the latter can intervene (unintentionally or negligently) and exacerbate an already inconsistent information governance culture within an organisation. In the analysis below we further investigate this proximity of causal elements and estimate the prevalence of both in the majority of incidents identified in the review.
8.4.2 The Preventability of Maladministration and the Unavoidability of Human Error
Improper decommissioning of hard drives containing patient data including those that identify HIV positive patients;
Approximately 1,570 hard drives were improperly decommissioned and found to be subsequently sold on an online auction site implicating thousands of staff and patient records;
Confidential medical records were found in a garden, records revealing intimate details regarding treatment, conditions and past histories of the individuals implicated;
Confidential paperwork about mental health patients – including personal details, medical records and care plans – was found ‘blowing around’ a city centre street;
Thousands of patient and staff records were left in a disused NHS site, which was left unmonitored and subsequently accessed (on several occasions) by trespassers who took photos of the records and posted them to the Internet.36
Our characterisation of an incident as ‘maladministration’ was used to indicate multiple levels of failings in the governance of data. As indicated in the introduction to this chapter, this broad categorisation of a data incident was made according to the bottom-up, inductive approach of the review. This was done with full acknowledgement of the difficulties (if not impossibility) in drawing clear distinctions between causes for incidents, especially between those involving ‘maladministration’ and those attributed to ‘human error’.37 Due to the limitations of the study, while acknowledging the likelihood that a confluence of factors was at work in any given incident, we attempted to categorise, however broadly, for the purposes of completing the scoping exercise. It is reasonable to assume, and for this chapter we approach the evidence with the belief that many incidents, including those categorised as ‘maladministration’, were also caused and/or contributed to by other intervening factors, such ‘human error’. To illustrate the dilemma, consider, for example, if patient records were stored in a public area before being taken to a safe storage area,38 was this human error or maladministration or both? Similarly, if an unencrypted portable media drive was lost, how much of the data breach and any resultant harm is due to human error and/or due to the poor implementation of policies on proper technical security and data handling?39
The implications of this potential cross-over between cases categorised as ‘human error’ and ‘maladministration’ is that far more cases of both categories were likely within the evidence and thus both are key factors to consider in terms of the prevention of data incidents.40 Just as the two examples highlight above, distinctions were difficult if not impossible to make and therefore upon reviewing the evidence involving maladministration and human error together, the figures on maladministration could increase to a total finding of 100 incidents out of 153 (65%).41 Now operating outwith the constraints of the evidence review and upon further reflection, we would argue that where human error intervened, it was also likely that governance measures lapsed or failed to react at the appropriate time, either before or after the mistake was made. The examples are only two out of one hundred such incidents where there is a difficult, if not impossible, distinction to be made between the causal factor of maladministration and human error. It is far more likely that both were present and contributed to some degree to the incident occurring. We explore this particular point in more depth within the case studies in the section below. What is critical here is that if both human error and maladministration are at play in over 65% of data incidents identified, data controllers should place greater focus on the factor which they can control: their internal governance of people and data within their organisation.
If the focus must be placed on what can be done by data controllers, it is worth unpacking even further what precisely maladministration is – to understand the ‘what’ ‘why’ and ‘how’ it arises and how it might also relate to or at best mitigate incidents of human error. Turning back to the evidence, maladministration was found in situations, for example, where data were improperly decommissioned: appropriate processes were not in place, management did not provide appropriate oversight, regular intervals for review were not initiated and therefore appropriate governance measures (or indeed responses) were lapsed. The incidents identified demonstrated multiple failings of information governance within an organisation, representing numerous areas where governance practices could have been implemented and potentially prevented the incident from happening. Equally, and in acknowledgement of the prevalence of human error (and proximity to incidents involving maladministration), at each governance lapse there was also an opportunity for honest mistake and chance to intervene, making it far more likely, or at least easier, for a data incident to occur.
While the ‘human’ element cannot be entirely controlled, the potential for good governance measures to intervene and potentially prevent and/or mitigate any damage caused, even by honest mistake and human error, holds huge implications for the governance of health and biomedical data. If maladministration is a preventable phenomenon, insomuch as the introduction, implementation and regular review of information governance is within the control of data controller organisations, then the incidents of harm and impact attributed to maladministration are also, at least theoretically, avoidable. While maladministration and human error are not necessarily interdependent of each other, in any given case of data abuse, it is reasonable to conclude that the presence of one is likely to exacerbate the other. Together, maladministration and human error can create the perfect storm necessary for the abuse of data to occur and serve to further weaken existing culture and practices of information governance.
In the section below we consider four case studies of maladministration (originally identified in the evidence review) in order to demonstrate the multiple ways in which good governance measures may intervene and potentially reduce the likelihood of harm and impact arising from the processing of health data, even where human error might also have contributed to the incident occurring.
8.5 Good Governance to Prevent Maladministration: Case Studies of Poor Governance
The four case studies below explore the preventable nature of maladministration, whilst acknowledging the presence and potentially exacerbating factor of human error. This reflects the potential opportunity for data controllers to prevent, if not mitigate, consequent harms to and impacts on individuals, themselves as an organisation and the broader public interests at stake.
the key facts;
the nature of the breach/misuse of data;
the apparent cause of the breach/misuse;
any known impact/harm as a result of the incident; and
We feature two examples from within the NHS in the UK, one from another UK public authority and one from the US to demonstrate the broad implications of poor information governance practices across a variety of sectors and geographical regions, and how human error exacerbates the chances of a data incident occurring.
8.5.1 ‘Safe’ Havens? Unauthorised Disclosures of Patient Data
This first example involves the 2013 case of North Staffordshire Combined Healthcare NHS Trust.43 The Trust was levied a £55,000 monetary penalty from the ICO for faxing to the wrong recipient another patient’s details regarding physical and mental health on three separate occasions despite there being policies to the contrary. The compromised data were intended for the ‘Wellbeing Centre’ which facilitated access to psychological therapies.
Nature of the Incident
Both technical security and organisational procedures were in place to ensure patient details were transmitted ‘safely’. For example, the fax machine was placed within a safe haven, in that only those staff with clearance to see the information transmitted were allowed access to the machine through a secured entry point.44 Furthermore a safe haven policy and best practice guidelines for using such a fax machine for transmitting patient data were available on the staff intranet. Critically, these policies mandated the pre-programming of frequently used numbers and a call-ahead system to provide a final check that the correct number for the particular recipient was being used.
Full name, date of birth, address, ethnic origin, religion, medical history, details of mental and physical health problems and their causes, any special needs/mental health services provided and whether the individual was at risk of self-harm, serious self-neglect or exploitation by others.45
The staff involved claimed they were not aware of the policies and guidelines, nor given any specific training on how to use the fax machine in question in line with the proper protocols. Overall, the ICO found that there was a lack of effective management control over these particular data practices. More specifically, the intended recipient’s fax number (the Wellbeing Centre, which regularly received patient data), was not pre-programmed; the number was input manually each time and was found to be ‘off’ by only one digit. The staff did not call ahead to check that the correct number was being used, which could have alerted them to their mistake and prevented the disclosure.
Impact/Harm as a Result
Data disclosed to the unintended third party recipient were sensitive enough (e.g. details on mental and physical health problems and in particular instances of self-harm, self-neglect, exploitation) such that if fallen into the wrong hands, data could be used to discriminate or harass the individuals implicated. Furthermore, the fact that such sensitive data were disclosed at all to a random member of the public is likely to cause substantial distress to the individual.46 This is particularly so given that the individuals implicated were vulnerable. The longer-lasting impact of the incident could be to diminish these individuals’ confidence in the NHS and create fear and apprehension over potential disclosures in the past, and any prospect of future misuse of data, even if such incidents never come to pass.47 The societal impact of such a breach is in the potential to diminish the public’s confidence in the NHS, with this case providing yet another example of the apparent dereliction of duty in regards to patient care, in this case to patients’ data.
Ideally, there would be a complete move away from faxing as a method of transmitting sensitive personal data, however, NHS resources are limited and may be unable to avail of more expensive and up-to-date methods. Overall, more automation and fail-safe methods should be used.
Staff training could be role and machine-based; those authorised to access and use the safe haven could have in-person, hands-on training (refreshed at regular intervals) on the particular best practices involved with transmitting patient data over fax. Even if pre-programming of frequently used numbers and the call-ahead system were the only procedures emphasised during such training, this could have prevented this incident from occurring multiple times.
Failing the delivery of such training (or training not recalled by the relevant staff), short-hand reminders of these key fax machine policies could be signposted in noticeable lettering on the machine itself and adjacent area.
Protocol could require two staff to transmit patient data over fax machines to ensure two individuals are obligated to assess the accuracy of an infrequently dialled number, to ensure that it correlates to the intended recipient.
Safe havens could be monitored by relevant management, such as via CCTV budget permitting, with staff notified of this by clear signage in the safe haven area, to further incentivise adherence to the procedures.
Training could include modules/lessons including a ‘patient story’ on the serious consequences of even unintentionally careless behaviour and inattention to detail, highlighting the extremely sensitive nature of data disclosed (e.g. mental health, physical conditions etc.) and unbounded potential for harm once data are released to the public.
The potential ‘solutions’ we suggest here are both practical and feasible which supports our overriding conclusion that maladministration is itself a preventable phenomenon, even if human error is not. Notably, the ICO also considered this incident to be entirely avoidable – proper procedures were in place to call ahead and confirm the fax number for the intended recipient, but these were not communicated to the relevant staff, nor were staff given training on how to handle sensitive faxes.48 This highlights that the mere creation and existence of policies and procedures is ineffective if training, knowledge dissemination and oversight of implementation is poor, and where staff are generally unaware of the serious consequences of even their most unintentional but careless behaviours when handling data. Safe havens cannot live up to their name if managers rest on the mere existence of policies and procedures without frequent review, robust monitoring and training that reflects the realities of practice and when things go wrong.
8.5.2 Issues with Out-Sourcing: Non-secure Disposal of Patient Data
In the second example we also focus on the NHS, but a case involving outsourcing to the private sector which illustrates the sometimes dire consequences if contracts are mismanaged or ignored entirely.49 This incident is a timely example of the impact of maladministration given the reported failures and risks posed to patients by NHS outsourcing to the private-sector, not merely for IT but other services more integral to patient care.50
Here the Brighton and Sussex University Hospitals NHS Foundation Trust was served a monetary penalty for its improper decommissioning of hard drives that contained health data of HIV-positive patients among other sensitive patient and NHS staff data.51 This case involved a particular ‘subset’ of staff, namely those involved in IT. IT services were provided by an ‘affiliated NHS member’ – the Sussex Health Informatics Service (‘HIS’) – that was accredited by the Department of Health to provide such services to several NHS Trusts in Sussex. HIS often contracted to Company ‘A’ if they were unable to complete the workload. The data processing obligations between the data controller (Brighton and Sussex University Hospitals NHS Trust) and data processer (HIS) were subject to an expired agreement.
The timeline of this incident stems back to 2008 when the data controller decided to decommission approximately 1,000 hard drives. The drives were kept outside of NHS premises in commercial storage which was locked and CCTV monitored. In 2010, approximately 1,000 of the hard drives were transported to Brighton General Hospital and subsequently held in a secured room (with key coded access) until their eventual destruction. Neither HIS nor Company A were capable of the decommissioning. As a result, Company A contracted with Company ‘B’ (run and operated by a single individual) to undertake the destruction ‘without charge’. No agreement was made between HIS and Company B (despite Company B’s willingness to enter into a written agreement) to decommission the hard drives, and the individual in question was subject to minimal background checks. The data controller was unaware of this informal agreement.
The ‘destruction’ took place over a series of days between 28 to 30 September 2010 and 14 to 15 October 2010, when Company B’s proprietor (a single individual) would have required key coded access from an NHS employee to the room where the hard drives were held, and again to the key coded area where the destruction was mandated to take place (the former X-Ray department). The individual was not always monitored during the carrying and accessing of the hard drives or in the decommission process itself. Furthermore, instead of providing individual documents certifying secure destruction of each hard drive (including the relevant serial number), a blanket and single form was provided for the approximately 1,000 drives.
Nature of the Incident
[Information] originating from a database in the HIV and Genito Urinary Medicine Department. The database contained personal data, some of which were highly sensitive, including names; dates of birth; occupations; sexual preferences; STD test results and diagnoses for 67,642 patients, all in readable format. A second database (which was a subset of the larger one) consisted of the names and dates of birth of 1,527 HIV positive patients.52
Critically, data in each database could be matched with basic knowledge of Microsoft® Access and thus were identifiable in the hands of whomever acquired the drives. In 2011, further drives were reported, this time by a student who purchased from an online auction site multiple drives that were identified as belonging to the data controller (an estimated 15 out of 20 purchased drives were implicated). A subsequent police investigation revealed at least a further 232 hard drives (of the original 1,000 due to be decommissioned) were also sold by Company B’s proprietor to an online auction site.
Like the case study above, this incident demonstrates an implicit awareness of data controller and processor obligations, and the presence of procedures (albeit expired) without any sense of urgency to review or supervise the implementation of governance practices. The first place where governance was allowed to lapse was in regards to the service level agreement between the data controller and data processor. This is maladministration at its ‘best’ with at least two years passing since the expiry of the agreement. In retrospect, if it was reviewed and renewed at regular intervals, this could have highlighted to HIS (and Company A) the required parameters for subcontracting any work to third parties. Similarly, it may have triggered appropriate oversight when an unknown individual sought to obtain a contract that would have put thousands of patients’ data within their control.
The expired agreement emphasises the utmost importance of senior management buy-in and oversight of information governance within an organisation. This also speaks to the underlying data ‘culture’ within organisations that may perpetuate the belief that information governance is merely a matter of risk assessment and compliance. Therefore, we would propose that a key aspect of maladministration is an organisational culture that hinders rather than promotes, and does not act with a sense of urgency as to the implementation and regular review of information governance. From this case study and given the years in governance lapses that were able to pass, it is clear that there was neither oversight nor a sense of urgency to review and reconsider regularly the appropriateness of governance models that were being used.
Impact/Harm as a Result
A critical lesson learned from this case study relates to the very nature of data and its relation to the potential harm that may arise when data are compromised. While data are intangible and elusive, they are also extremely powerful in the right hands. Once data are ‘lost’, such as through the unsecure disposal of hard drives in this case, they are not relinquished to a black hole where they are irretrievable. What is irretrievable or irrevocable is the potential for harm to be caused as a result of the ‘loss’, especially when data are not recovered. In the present case, while all the hard drives sold illegally by Company B were ‘accounted for’, not all were recovered. It is unknown if or when these extremely sensitive personal data will be used, and the potential for discrimination as to the particular type of data compromised is clear. Even if data are recovered, it is impossible to know all those who had access once the chain of ‘custody’ was lost. The lesson here is clear – prevention is the ultimate goal, because once data are lost, they are truly ‘lost’ to the individual implicated.
This case study showcases multiple areas where governance failed and or lapsed. It highlights the problematic aspect of organisational culture that can contribute to maladministration and therefore the incidence of data misuse and abuse. Maladministration was seen in the inattention paid to and non-negotiation of a current and legally binding data processor and sub-contractor agreement, a lack of policies and procedures for the swift and secure destruction of hard drives and non-existent oversight of said procedures and policies. These governance failures are indicative of a culture where good information governance was not seen as vital, nor acted upon with a sense of urgency.
re-negotiation of the data controller’s contract with Company A to ensure subcontracting was prohibited unless and until specifically authorised by the data controller (and in particular by senior management);
the provision of clear procedures governing sub-contracting and related training on the topic for managers with responsibility for initiating and monitoring outsourcing arrangements;
although the theft of the hard drives did not occur while in commercial storage, hard drives containing such sensitive patient data should not be held in places without prior NHS vetting and accreditation for secure data storage – additional policies and procedures on secure storage of data are required;
the relevant NHS staff members with training in secure destruction should have assisted and been obligated to monitor the contractor during the entire process of access to and the actual destruction of hard drives;
technical security could have improved greatly; basic knowledge of access should not provide the ability to identify data subjects across multiple databases; far more secure de-identification techniques, such as those involving trusted third parties, can be used and are already used in certain areas of NHS and health sector.
However, this example offers even further lessons and demonstrates the diverse facets and consequences of maladministration. Most importantly, good governance requires attention to not only the collection of data and storage of data, but also throughout the data life cycle to eventual destruction. Predominant discourse surrounding information governance focuses on issues of collection and the relevance of consent and anonymisation. Less attention is focused on how data are used in future, and how, when and by whom data are to be destroyed securely. The increasing prevalence of outsourcing in the NHS means that even closer attention is required to the training and monitoring of those tasked with managing different aspects of the data life cycle, especially when an ‘outsider’ is brought ‘in’ and given access to patient data they would otherwise not have access to. Overall, what is required is a paradigmatic shift that promotes good information governance as something more integral to the mandate and overall operation of an organisation, especially in context of the NHS where patient data are integral to service delivery and patient care.
8.5.3 Carelessness and Harm: The Long-Term Impact of Human Error
In this case study, we move away from the NHS to consider how a careless mistake and lack of appropriate procedures at a county council caused serious distress to and impact upon a community and the individuals within it.53 It showcases where data from multiple sources are combined, and if compromised, can lead to great harm to the individuals implicated. In light of the current political push to further integrate public services, especially across health and social care, it is crucial to ensure that when data are linked across organisations, good governance procedures travel with data and the ensuing obligations are fully understood once data are received. Even where data do not ‘travel’ per se, good governance must attend to the increased risks where multiple types of data (such as health, demographic, justice data) are compiled and stored in a single place, especially when kept in paper-based form.
Originally categorised in the evidence as human error, this case study highlights how the absence of appropriate governance measures can combine with honest mistake to cause great harm. The case involved a long-time social worker, employed by Devon County Council, who was working on an adoption panel report for ‘Family A’. In preparing the report, the social worker used another family’s report (Family B) as a template to remind her of the information required for inclusion. She printed Family A’s report and placed it in an envelope to give to them at their next meeting. At this meeting, Family A forgot to take the envelope with their prepared report. The social worker subsequently asked them to send their address so she could post the report to them.
Nature of the Incident
When the social worker received the address of Family A she was working remotely at another office and did not have the envelope (with the correct report) with her. However, she did have access to Family A’s adoption folder where she had a printed copy of the report; she made another copy and mailed it to Family A, without checking the contents. It transpired that the social worker had not shredded the hard copy of Family B’s report that she had used as a template for Family A’s, which shed had mistakenly kept in Family A’s folder. Therefore, she had mistakenly sent a copy of Family B’s report to Family A.
The report disclosed sensitive data regarding a child of a couple who was being considered for adoption. This revealed sensitive data of over twenty-two individuals, including the couple, their immediate and extended family. The data revealed their ethnic origin and religion, details regarding physical and mental health and their alleged commission of crimes. The unintended recipients (Family A) did not return the report on Family B for over two months, just prior to the Council obtaining a court order to retrieve the documents.
While the ICO’s report on the incident was redacted, it was clear that data disclosed were of the most sensitive nature and may have in fact been used against Family B in some way by Family A. For example, consider this statement made in the ICO report: ‘The matter is aggravated by the fact that the report was erroneously sent to unauthorised third parties who [redacted text].’54
Unlike the first two case studies, this incident focuses on maladministration as an absence of relevant procedures. Despite the highly sensitive nature of the Council’s duties, in terms of facilitating adoptions and therefore compiling a host of sensitive data on individuals and their families, there was a complete lack of governance procedures directing appropriate and prohibiting inappropriate and potentially harmful data practices. It is unclear from the ICO report, but there seems to have been a duplication of paper files (namely adoption reports) across different Council offices; or, alternatively that such sensitive files were allowed to be transferred off premises without any requisite release procedure. While the case indicates clearly the intervening element of human error (borderline negligence) on the part of the social worker who did not check the contents of the family report being posted, again this was an opportunity where good governance measures could have intervened and counteracted this mistake. Good governance may be especially crucial within public authorities which are resource and time poor. Staff, including social workers, are increasingly overburdened by caseloads and potentially more prone to careless behaviour. This case does well to highlight how unintentional mistakes can perpetuate harmful consequences if staff are left undirected, without appropriate peer or senior management oversight and are generally lacking knowledge of and training through the absence of governance procedures.
Impact/Harm as a Result
This case study underlines the greater risk posed by compilations and linkages of data, where not only information as to one particular aspect of an individual’s life are disclosed, but instead offer a full or almost complete picture of that person (and potentially those they interact with). The redaction in the ICO report on this incident suggests the vulnerability of Family B whose data were disclosed. It also hints at the potential consequences suffered as a result of the incident, given the sensitivity of the compromised data but also, possibly, due to subsequent actions taken by the unintended recipient of the report (Family A), who may have used the information against members of Family B. These circumstances offer a stark juxtaposition of the often unintentional nature of ‘maladministration’, the intervening effect of human error and the great deal of harm that can nevertheless arise as a result, in spite of the best intentions of a compassionate and capable employee.
make training mandatory for all staff who come into contact with and handle individuals’ personal data;
create training modules/courses tailored to the role of the staff member and, where necessary, further customised to particular types of data processing and therefore according to the specific technology being used;
although the Council had adopted overarching data protection policies, given the sensitivity of data compiled on individuals, senior-management should be responsible for and prioritise the promotion of a good information governance culture that recognises the benefits of good governance, but that equally communicates the inherent risks involved with the handling of such data (and thus disincentives for operating without good governance);
implement a mandatory data-export approval process by a data guardian to ensure the security of any transfer of data outside the premises.
8.5.4 Lost But Not Found: A Case for Encryption
For the last case study, we draw upon evidence gathered in our social media strand that had international coverage and demonstrates the pervasiveness of maladministration in data incidents occurring far beyond the UK. The present case involves the US-based, University of Mississippi Medical Center that reported a data breach incident in 2013.55 Given that this incident was identified on Twitter, the level of detail available was far less than other cases (the previous three case studies were all reported on by the ICO and therefore provided more objective facts as to the incidents). New research on the incident for this chapter reveals further information as to the nature of, causal factors behind and potential impact of the breach.56
Nature of the Incident
In March 2013, the University of Mississippi Medical Center (‘the Center’) reported a data breach as required under federal and state laws. The Center became aware of a missing laptop in January 2013 that was used and shared amongst a number of clinicians within the patient-care area of the facility (not generally open to the public). The ‘lost’ laptop may have contained the sensitive health data of adult patients spanning over four years (2008- January 2013). The information would have included names, addresses, social security numbers, medical diagnoses, medications prescribed, treatments and other clinical data.
It was revealed subsequently that the laptop went missing almost two months (in November 2012) before it was noticed (in January 2013). Furthermore, the Center was unable to retrieve the laptop and, crucially, it was password protected but not encrypted.
This case study, while lacking in finer detail, still provides evidence of maladministration where appropriate information governance procedures were not in place to ensure the security of data in the event that hardware (such as laptops) were lost. Technical solutions are not complete solutions to achieving good information governance, but remain a crucial and necessary component. Encryption of data is a key method of protection if data ever are compromised and is standard procedure across many organisations, especially in the health sector. This lapse in governance reveals inattention to the need for regular updates and improvement of information governance policies and procedures in light of a constantly shifting data landscape. During this lapse in policy, human error (in losing the laptop) intervened and resulted in the loss of individuals’ sensitive health data. Finally, the gap in time between the laptop going missing and the Center realising this indicates a further deficiency in the lack of audit trails or appropriate oversight over organisational assets, specifically IT assets that can hold volumes of patient data.
Impact/Harm as a Result
This incident involved the apparent ‘loss’ of data or, more specifically, the loss of a portable device containing data. The health sector is increasingly dependent upon mobile and remote access to patient records, requiring the use of personal electronic devices to store and transmit data. As opposed to paper files that are far more physically limited in the amount of data they can contain, electronic portable devices, such as laptops or smartphones, can easily hold data on thousands of individuals. Furthermore, the more ‘portable’ a device is, that is capable of being used in a variety of (public) settings, the more easily it may be misplaced. The risks associated with losing portable devices can therefore reasonably be higher than paper files, simply given the sheer number of individuals whose data are capable of being lost and the inherently ‘mobile’ nature of such devices. In the present case, the hospital was unable to confirm the number of affected individuals whose data were compromised, however the data span a period of potentially four years.
At the time the breach was reported, the Center were not notified or otherwise aware of any reports of unauthorised access or misuse of patient data as a result of the breach. However, being unable to recover the lost laptop, the Center is unable to guarantee with any certainty that data will not be accessed by unauthorised parties or therefore cause harm to the individual patients implicated now or in the future.
mandating the regular review of information governance policies and procedures in-line with current best practices within their sector as to training, technology and means of protecting data;
more frequent asset ‘checks’ could have flagged to appropriate staff that the laptop was missing earlier than the two months that lapsed between it being lost and it being reported;
it is unclear from the facts presented, but any portable device in use by the Center should have been capable of remote-erasure in order to wipe all sensitive data in the event that data are lost;
if portable devices are to be used by multiple clinicians in the delivery of patient care, the same devices should not be permitted to be taken offsite; remote access to patient records does not require the storage or physical removal of patients records – access can be facilitated, more securely, via VPN connections etc.57
The case studies of maladministration considered above have demonstrated multiple inroads where good governance practices could have intervened, whether through changes to training, increased automation, knowledge dissemination, or enhanced monitoring by management. In each case, the organisation had several ‘chances’ to prevent the incident, counteract any intervening factor of human error or to at least mitigate the potential for harm and impact to themselves and the individuals implicated. It is the ability to avoid maladministration that transforms such incidents into important lessons for learning and adapting.
Clearly, new approaches to training are necessary, including training tailored to specific roles, specific uses of data and specific machines. Such contextualised training could be provided on the basis of an individual role, the level of access they have to data, the way in which they are tasked with handling data and the specific media through which they process data such as a fax machine or by post. Despite the predominant one-size-fits-all approach to information governance training, this leaves large gaps in understanding that can result in serious consequences for all involved. Furthermore, the mere ‘presence’ of policies and procedures is not enough to prevent incidents from occurring. In the first two case studies examined above there were indeed policies and procedures, but they were not communicated, monitored, reviewed frequently enough or updated in light of issues spotted by management. However, practical changes to training are not all that is needed – organisational culture too must be addressed. To instil a culture that takes data ‘seriously’, training at all levels, should emphasise the harm and impact that can arise from maladministration regardless of the intentions of the employee. The evidence demonstrates clearly that negligent and unintentional behaviours are more prevalent in data incidents than cases of involving intentional abuse of data. The very nature of data makes the stakes higher – once data are compromised it will often be impossible to guarantee with any degree of certainty that there are no risks to individuals implicated.
A mixture of ‘soft’ and ‘hard’ approaches to information governance would help introduce a culture where the handling of data is taken more seriously by those responsible for it – the important role each individual employee has in relation to data they process must be communicated. A soft approach would include the encouragement of reporting instances where data are unintentionally compromised in order to trigger quickly and effectively protocols to mitigate any damage done. A hard approach should be taken where policies are ignored actively, training not taken seriously and of course in the extreme situation where data are abused intentionally by staff. A mixed approach can create appropriate disincentives for maladministration. However, it is equally important to communicate to staff the public interests served by the safe processing of data, including for research uses, for the successful operation of healthcare systems and services and to help maintain confidence in the public service offered and so forth. And while no amount of good governance can prevent such incidents fully, or counteract the intervening human element of chance and honest mistakes, improvements to training, implementation, oversight, awareness and a culture of non-blame can create environments where timely and appropriate reactions are taken to mitigate the broad spectrum of harms and impacts that arise as a result of both intentional and unintentional behaviours.
Since the completion of the evidence review, instances of maladministration of health and biomedical data continue to be reported. The preventability of maladministration and the potential ability for good governance to counteract or at least mitigate the impact of human error and mistake cannot be understated: encryption or remote-wipe options could be used to prevent sensitive data leaking in the event a portable device is lost or stolen58; easy checks could be made to ensure data are sent to the correct recipients, at the correct address59; quick lessons could be learned from previous mistakes if remedial action and knowledge dissemination were handled appropriately.60 The continued occurrence of data breach incidents as a result of maladministration indicates that a new approach is required to the information governance of health and biomedical data in the UK. Even where policies and procedures are in place, they have not been able to prevent the rising incidence of data abuse in the health sector. In this sense, such incidents also indicate that human error and honest mistakes will continue to happen, but as the arguments set forth in this chapter indicate, good information governance provides an important chance to counteract this unavoidable element of the data landscape.
With the now finalised General Data Protection Regulation61 (‘GDPR’) and its overhauled approach to data breaches and penalties,62 the stakes are even higher for organisations to get the governance of health data ‘right’. Given the broad spectrum of harms and impacts that can arise from the maladministration of health and biomedical data, as well as the potentially unbounded nature of any resulting harm to the individuals implicated, organisational culture must acknowledge and communicate the seriousness of processing personal data. Changes to the way people are trained and otherwise directed to handle data within organisations should be the primary focus of efforts to reduce current trends in the abuse of data and mitigate resulting harm to individuals, organisations and the broader public interests at stake.
All websites were accessed on March 24, 2016.
Alex Matthews-King, “GPs Prepare to Contact Patients Individually as Care.data Is Relaunched in Some Areas,” Pulse, June 15, 2015, http://www.pulsetoday.co.uk/your-practice/practice-topics/it/gps-prepare-to-contact-patients-individually-as-caredata-is-relaunched-in-some-areas/20010215.article#.VX768RNViko; Pam Carter, Graeme T Laurie, and Mary Dixon-Woods, “The Social Licence for Research: Why Care.data Ran into Trouble,” Journal of Medical Ethics, January 23, 2015, doi:10.1136/medethics-2014-102,374; Chris Pounder, “Proposals to Expand Central NHS Register Creates a National Population Register and Significant Data Protection/privacy Risks,” Hawktalkhttp://amberhawk.typepad.com/amberhawk/2015/01/proposals-to-expand-central-nhs-register-creates-a-national-population-register-and-significant-data.html; Ken Macdonald, “Consultation on Proposed Amendments to the NHS Central Register (Scotland) Regulations 2006 - ICO Response,” February 25, 2015, https://ico.org.uk/media/about-the-ico/consultation-responses/2015/1043385/ico-response-nhs-central-register-20150225.pdf.
With the Data Protection (Monetary Penalties) Order 2010, the ICO could levy ‘monetary penalties’ on data controllers for serious contraventions of any data protection principles under the Data Protection Act 1998 (‘DPA’). ICO, “[ARCHIVED CONTENT] Data Security Incident Trends,” October 19, 2015, http://webarchive.nationalarchives.gov.uk/20150423125423/https://ico.org.uk/action-weve-taken/data-security-incident-trends/; ICO, “Data Breach Trends,” December 22, 2015, https://ico.org.uk/action-weve-taken/data-breach-trends/; ICO, “Data Protection Act 1998: Information Commissioner’s Guidance about the Issue of Monetary Penalties Prepared and Issued under Section 55C (1) of the Data Protection Act 1998,” December 2015, https://ico.org.uk/media/for-organisations/documents/1043720/ico-guidance-on-monetary-penalties.pdf.
As of January 2016, 11 health organisations were served with monetary penalty notices by the ICO, relating to data breaches between 2012 and 2015 in an amount totalling more than £1.43 million. This includes one ‘Health & Retail and Manufacture’ organisation called Pharmacy 2 U Limited, an online pharmacy which sold more than 20,000 customers data to marketing companies without their consent. See: ICO, “Civil Monetary Penalties Issued,” 2016, https://ico.org.uk/media/action-weve-taken/csvs/1042752/civil-monetary-penalties.csv.
Ponemon Institute, “2015 Cost of Data Breach Study: Global Analysis,” 2015, 2, http://www-03.ibm.com/security/data-breach/.
ICO, “Data Breach Trends.”
A reference to ongoing debates over the sufficiency of anonymisation: Paul Ohm, “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization,” UCLA Law Review 57 (2009): 1701–77; Arvind Narayanan and Vitaly Shmatikov, “De-Anonymizing Social Networks,” in 30th IEEE Symposium on Security & Privacy, 2009, https://www.cs.utexas.edu/~shmat/shmat_oak09.pdf; Paul M. Schwartz and Daniel J. Solove, “The PII Problem: Privacy and a New Concept of Personally Identifiable Information,” New York University Law Review 86, no. 6 (2011): 1814–94; Melissa Gymrek et al., “Identifying Personal Genomes by Surname Inference,” Science 339, no. 6117 (January 18, 2013): 321–24, doi:10.1126/science.1229566; Latanya Sweeney and Ji Su Yoo, “De-Anonymizing South Korean Resident Registration Numbers Shared in Prescription Data,” Technology Science, September 29, 2015, http://techscience.org/a/2015092901.
Defined according to the terms of reference in our report. Graeme Laurie et al., “A Review of Evidence Relating to Harm Resulting from Uses of Health and Biomedical Data” (Nuffield Council on Bioethics and Wellcome Trust Expert Advisory Group on Data Access, February 3, 2015), 30, http://nuffieldbioethics.org/project/biological-health-data/evidence-gathering/.
Throughout this chapter references to ‘data’ are done so with this working definition in mind. Ibid.
For example, health and various demographic data are sought for research facilitated by the UK’s Administrative Data Research Network and similarly under the Farr Institute. Administrative Data Research Network, “About Us,” 2015, http://adrn.ac.uk/about; “About the Farr Institute,” Farr Institute, 2015, http://www.farrinstitute.org/.
The UK’s ICO identifies particular incidents, such as loss of paper files, data being posted or faxed to the wrong recipient, as key areas of concern for the health sector. These incidents were identified and categorised under ‘maladministration’ in the authors’ evidence review. ICO, “Data Breach Trends.”
We reference here ongoing research, guidelines and best practice models of good governance of health data within the UK. Department of Health, “Research Governance Framework for Health and Social Care: Second Edition,” April 24, 2005, http://www.dh.gov.uk/prod_consum_dh/groups/dh_digitalassets/@dh/@en/documents/digitalasset/dh_4122427.pdf; Information Governance Working Group The Scottish Health Informatics Programme, “SHIP Guiding Principles and Best Practices,” October 22, 2010, http://www.scot-ship.ac.uk/sites/default/files/Reports/Guiding_Principles_and_Best_Practices_221010.pdf; The Scottish Health Informatics Programme, “A Blueprint for Health Records Research in Scotland,” July 10, 2012, http://www.scot-ship.ac.uk/sites/default/files/Reports/SHIP_BLUEPRINT_DOCUMENT_final_100712.pdf; The Scottish Government, “Joined-Up Data For Better Decisions: Guiding Principles For Data Linkage,” November 6, 2012, http://www.scotland.gov.uk/Resource/0040/00407739.pdf; Nayha Sethi and Graeme T. Laurie, “Delivering Proportionate Governance in the Era of eHealth: Making Linkage and Privacy Work Together,” Medical Law International 13, no. 2–3 (June 1, 2013): 168–204, doi:10.1177/0968533213508974; NHS Wales Informatics Service, “Information Governance,” 2015, http://www.wales.nhs.uk/nwis/page/52618; Swansea University, “SAIL - The Secure Anonymised Information Linkage Databank,” 2015, http://www.saildatabank.com/; Swansea University, “SAIL DATABANK - Publications,” 2015, http://www.saildatabank.com/data-dictionary/publications.
The full report is available on the NCOB website.
“Mason Institute, University of Edinburgh,” http://masoninstitute.org/; “Administrative Data Research Centre Scotland,” n.d., http://adrn.ac.uk/centres/scotland; “About Farr Institute @ Scotland,” http://www.farrinstitute.org/centre/Scotland/3_About.html.
“About Farr Institute @ CIPHER,” http://www.farrinstitute.org/centre/CIPHER/34_About.html.
Details on search methodology: Laurie et al., “A Review of Evidence Relating to Harm Resulting from Uses of Health and Biomedical Data,” 52–57.
A topic explored in a publication devoted to the idea of non-use and the potential impacts of known failures to use data when it may have been in the public interest to do so. Kerina Jones et al., ‘The other side of the coin: Harm due to the non-use of health-related data’ (2016) International Journal of Medical Informatics 97.
Genetic data were considered as a separate category of sensitive personal data, as it is, for example, treated separately from health and biomedical data in the forthcoming General Data Protection Regulation and in relevant literature. See: G. T. Laurie, Genetic Privacy: A Challenge to Medico-Legal Norms (New York: Cambridge University Press, 2002); Mark Taylor, Genetic Data and the Law : A Critical Perspective on Privacy Protection (New York: Cambridge University Press, 2012) “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)” 2016, http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L:2016:119:FULL&from=EN.
We distinguished health and biomedical data from ‘human materials’ such as organs, and any associated data, which are regulated within a different context and framework. See: Human Tissue Act 2004; Graeme Laurie, Kathryn Hunter, and Sarah Cunningham-Burley, “Guthrie Cards in Scotland: Ethical, Legal and Social Issues” (The Scottish Government, 2013), http://www.scotland.gov.uk/Resource/0044/00441799.pdf; Graeme Laurie and Shawn Harmon, “Through the Thicket and Across the Divide: Successfully Navigating the Regulatory Landscape in Life Sciences Research,” University of Edinburgh, Research Paper Series 2013/30 (n.d.), http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2302568.
On our broader conceptualisation of harm, importantly as including ‘impact’ to individuals: Laurie et al., “A Review of Evidence Relating to Harm Resulting from Uses of Health and Biomedical Data,” 41–46.
The first nine examples: HC Deb 18 October 1966, vol 734, col. 50.
The rest of this list was later added by: “Parliamentary Commissioner for Administration. Third Report - Session 1993–94. Annual Report for 1993,” House of Common Papers, 1993.
European Ombudsman, “What Is Maladministration?,” n.d., http://www.ombudsman.europa.eu/atyourservice/couldhehelpyou.faces.
The ICO routinely identifies the following categories of data breach types in their quarterly data breach trend report: loss or theft of paperwork; data posted or faxed to an incorrect recipient; data sent by email to an incorrect recipient; insecure webpages (including hacking); loss or theft of unencrypted device. Furthermore, in their Q2 2015 report, the ICO considers increased media attention to data protection issues and the pressure felt by organisations regarding the forthcoming GDPR (and soon to be mandatory data breach reporting scheme) as a reason for the increase in reported incidents in sectors other than health (where mandatory reporting is already required). ICO, “Data Breach Trends.”
Compare the ICO data breach categorisation by type (Note 23 above) compared to the broader range we identified from the evidence, which adds: fabrication/falsification of data, non-secure disposal of data, unauthorised retention and non-use.
Including 50 incidents from the hard evidence, 52 in the social media strand and 59 identified in the soft evidence strand. The adjusted total of 153 incidents accounts for eight cases of overlap across the three strands of evidence. See: Laurie et al., “A Review of Evidence Relating to Harm Resulting from Uses of Health and Biomedical Data,” 166–200.
For example, consider that more than half of the most ‘infamous’ reported data breach incidents in the UK involve hackers and incidents involving intentional abuse of data which must be contrasted to our findings where data incidents involving non-intentional behaviours were far more prevalent. John E Dunn, “The UK’s 11 Most Infamous Data Breaches 2015,” Techworld, October 30, 2015, http://www.techworld.com/security/uks-11-most-infamous-data-breaches-2015-3604586/.
The Information Commissioner’s Office, “Anonymisation: Managing Data Protection Risk Code of Practice,” November 20, 2012, 22–23, https://ico.org.uk/media/1061/anonymisation-code.pdf; Roland Moore-Colyer, “Hackers Will Target Online NHS Medical Data, Warns ICO,” February 10, 2015, http://www.v3.co.uk/v3-uk/news/2394660/hackers-will-target-online-nhs-medical-data-warns-ico.
The social media strand of the review, conducted on Twitter, identified twenty cases of data theft. Eighteen occurred in the US. Only one occurred in the UK (and one in Zambia). This is in contrast to the overall findings of the report where negligent behaviour was found to be the primary abuse type. See: Laurie et al., “A Review of Evidence Relating to Harm Resulting from Uses of Health and Biomedical Data,” 88–89.
Ibid., 176, 179, Incident No. EUC6 and EUC11.
Ibid., 170, Incident No. ICOP3.
Ibid., 173, Incident No. ICOM10 and G10.
Ibid., 174, Incident No. ICOM14.
Ibid., 195, Incident No. News16.
Ibid., 66. Incident No. ICOM13, ICOM3/G07, TW25/B4, TW38, ICOM12.
Not least because of the varied level of detail available on each incident and across evidence strands. For example, in the soft evidence (i.e. when examining the grey literature, such as newspapers), the information was often less specific than in the hard evidence (which focused on legal court cases and ICO regulatory reporting). Common sense indicated the interdependency of causal factors, such as between human error and maladministration, but based on the methodology, one category was chosen as opposed to two or more. Ibid., 20, 113.
Incident No. Inc39-E18.
Incident No. ICOM2.
Again, the categories devised for the review were sometimes quite specific, but also quite broad. A case in point is the category ‘maladministration’. Particularly in the soft evidence strand, there was insufficient evidence to break incidents around maladministration down further (e.g. failure to consider the risks or potential problems, failure to develop suitable systems and procedures). Simultaneously, if we had employed further sub-categories, then many cells in the typology tables would have been empty. This would have implications for the inferences we could make.
We identified 85 counts of maladministration and 23 counts of human error, for a total of 108 which is adjusted by 8 for overlapping reporting of incidents across the evidence strands.
For example: Department of Health, “Report on the Review of Patient-Identifiable Information,” 1997, http://webarchive.nationalarchives.gov.uk/+/www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationspolicyandGuidance/DH_4068403; Department of Health, “Information: To Share or Not to Share? The Information Governance Review,” March 2013, https://www.gov.uk/government/publications/the-information-governance-review.
Incident No. ICOM4 and TW23.
ICO, “Monetary Penalty Notice: North Staffordshire Combined Healthcare NHS Trust,” June 11, 2013, 2, http://webarchive.nationalarchives.gov.uk/20140603223034/http://ico.org.uk/youth/sitecore/content/Home/news/latest_news/2013/~/media/documents/library/Data_Protection/Notices/north-staffordshire-combined-healthcare-nhs-trust-monetary-penalty-notice.ashx.
Laurie et al., “A Review of Evidence Relating to Harm Resulting from Uses of Health and Biomedical Data,” 114–115. See also: “Fax Blunder Leads to £55,000 Penalty for Staffordshire Trust,” ICO, (June 13, 2013), https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2013/06/fax-blunder-leads-to-55-000-penalty-for-staffordshire-trust/.
Incident No. ICOM13 and news18.
Charlier Cooper, “Thousands of Patients at Risk from NHS Outsourcing,” The Independent, http://www.independent.co.uk/life-style/health-and-families/health-news/thousands-of-patients-at-risk-from-nhs-outsourcing-9799937.html; Centre for Health and the Public Interest, “The Contracting NHS – Can the NHS Handle the Outsourcing of Clinical Services?,” http://chpi.org.uk/wp-content/uploads/2015/04/CHPI-ContractingNHS-Mar-final.pdf; Gill Plimmer, “NHS Brings to a Halt Two Years of ‘exuberant’ Outsourcing Growth,” FT.com, September 28, 2015, http://www.ft.com/cms/s/0/92059d56-6361-11e5-a28b-50226830d644.html#axzz3z28UbghL.
This references facts reported by the ICO: “Brighton and Sussex University Hospitals NHS Trust Breach Watch,” Breach Watch, 2012, http://breachwatch.com/2012/06/01/brighton-and-sussex-university-hospitals-nhs-trust/; ICO, “Monetary Penalty Notice: Brighton and Sussex University Hospitals NHS Foundation Trust,” June 11, 2013, http://webarchive.nationalarchives.gov.uk/20140603223034/http://ico.org.uk/youth/sitecore/content/Home/enforcement/~/media/documents/library/Data_Protection/Notices/bsuh_monetary_penalty_notice.ashx.
ICO, “Monetary Penalty Notice: Brighton and Sussex University Hospitals NHS Foundation Trust,” 3.
In reference to Incident No. ICOM8.
ICO, “Monetary Penalty Notice: Devon County Council,” December 10, 2012, 5, http://webarchive.nationalarchives.gov.uk/20140603223034/http://ico.org.uk/youth/sitecore/content/Home/enforcement/~/media/documents/library/Data_Protection/Notices/devon_county_council_monetary_penalty_notice.ashx.
Incident No. TW29.
The University of Mississippi Medical Center Division of Public Affairs, “UMMC Administration Notifies Patients of Breach of Protected Health and Personal Information,” March 21, 2013, https://www.umc.edu/uploadedFiles/UMCedu/Content/Administration/Institutional_Advancement/Public_Affairs/News_and_Publications/Press_Releases/2013/2013-03-21/NR_Notice_Breach_Patient_Info_3_21_13.pdf; “Healthcare Data Breach Hits University of Mississippi Medical Center,” n.d., http://www.databreachwatch.org/healthcare-data-breach-hits-university-of-mississippi-medical-center/; “Chronology of Data Breaches Security Breaches 2005 - Present,” Privacy Rights Clearinghouse, 2016, http://www.privacyrights.org/sites/privacyrights.org/files/static/Chronology-of-Data-Breaches_-_Privacy-Rights-Clearinghouse.pdf.
For example: “Remote Access: Flexible Working Made Simple,” N3 Connecting Healthcare, 2016, http://n3.nhs.uk/n3cloudconnect/ConnectAnywhere(remote).cfm.
“Western Health & Social Care Trust,” ICO, July 15, 2015, https://ico.org.uk/action-weve-taken/enforcement/western-health-social-care-trust/.
“South West Yorkshire Partnership NHS Foundation Trust,” ICO, June 3, 2015, https://ico.org.uk/action-weve-taken/enforcement/south-west-yorkshire-partnership-nhs-foundation-trust/.
“Northumbria Health Care NHS Foundation,” ICO, May 11, 2015, https://ico.org.uk/action-weve-taken/enforcement/northumbria-health-care-nhs-foundation/.
The final text of the GPDR was agreed on 15 December 2015 and is to be implemented by Member States 25 May 2018.
For example, note the drastic increase in administrative fines with the potential for €10-20 M or 2–4% of worldwide turnover to be levied depending on the nature of the infringement. GDPR, Art 83.
- “About Farr Institute @ CIPHER.” http://www.farrinstitute.org/centre/CIPHER/34_About.html.
- “About Farr Institute @ Scotland.” http://www.farrinstitute.org/centre/Scotland/3_About.html.
- “About the Farr Institute.” Farr Institute, 2015. http://www.farrinstitute.org/.
- “Administrative Data Research Centre Scotland,” n.d. http://adrn.ac.uk/centres/scotland.
- “Brighton and Sussex University Hospitals NHS Trust | Breach Watch.” Breach Watch, 2012. http://breachwatch.com/2012/06/01/brighton-and-sussex-university-hospitals-nhs-trust/.
- Carter, Pam, Graeme T Laurie, and Mary Dixon-Woods. “The Social Licence for Research: Why Care.data Ran into Trouble.” Journal of Medical Ethics, January 23, 2015. doi:10.1136/medethics-2014-102374.
- Centre for Health and the Public Interest. “The Contracting NHS – Can the NHS Handle the Outsourcing of Clinical Services?” http://chpi.org.uk/wp-content/uploads/2015/04/CHPI-ContractingNHS-Mar-final.pdf.
- “Chronology of Data Breaches Security Breaches 2005 – Present.” Privacy Rights Clearinghouse, 2016. http://www.privacyrights.org/sites/privacyrights.org/files/static/Chronology-of-Data-Breaches_-_Privacy-Rights-Clearinghouse.pdf.
- Cooper, Charlier. “Thousands of Patients at Risk from NHS Outsourcing.” The Independent. http://www.independent.co.uk/life-style/health-and-families/health-news/thousands-of-patients-at-risk-from-nhs-outsourcing-9799937.html.
- Council of the European Union. Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation) [first Reading] – Analysis of the Final Compromise Text with a View to Agreement, 2015.Google Scholar
- Department of Health. “Information: To Share or Not to Share? The Information Governance Review,” March 2013. https://www.gov.uk/government/publications/the-information-governance-review.
- ———. “Report on the Review of Patient-Identifiable Information,” 1997. http://webarchive.nationalarchives.gov.uk/+/www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationspolicyandGuidance/DH_4068403.
- ———. “Research Governance Framework for Health and Social Care: Second Edition,” April 24, 2005. http://www.dh.gov.uk/prod_consum_dh/groups/dh_digitalassets/@dh/@en/documents/digitalasset/dh_4122427.pdf.
- Dunn, John E. “The UK’s 11 Most Infamous Data Breaches 2015.” Techworld, October 30, 2015. http://www.techworld.com/security/uks-11-most-infamous-data-breaches-2015-3604586/.
- European Ombudsman. “What Is Maladministration?,” n.d. http://www.ombudsman.europa.eu/atyourservice/couldhehelpyou.faces.
- “Fax Blunder Leads to £55,000 Penalty for Staffordshire Trust.” ICO, June 13, 2013. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2013/06/fax-blunder-leads-to-55-000-penalty-for-staffordshire-trust/.
- “Healthcare Data Breach Hits University of Mississippi Medical Center,” n.d. http://www.databreachwatch.org/healthcare-data-breach-hits-university-of-mississippi-medical-center/.
- ICO. “[ARCHIVED CONTENT] Data Security Incident Trends,” October 19, 2015. http://webarchive.nationalarchives.gov.uk/20150423125423/https://ico.org.uk/action-weve-taken/data-security-incident-trends/.
- ———. “Civil Monetary Penalties Issued,” 2016. https://ico.org.uk/media/action-weve-taken/csvs/1042752/civil-monetary-penalties.csv.
- ———. “Data Breach Trends,” December 22, 2015. https://ico.org.uk/action-weve-taken/data-breach-trends/.
- ———. “Data Protection Act 1998: Information Commissioner’s Guidance about the Issue of Monetary Penalties Prepared and Issued under Section 55C (1) of the Data Protection Act 1998,” December 2015. https://ico.org.uk/media/for-organisations/documents/1043720/ico-guidance-on-monetary-penalties.pdf.
- ———. “Monetary Penalty Notice: Brighton and Sussex University Hospitals NHS Foundation Trust,” June 11, 2013. http://webarchive.nationalarchives.gov.uk/20140603223034/http://ico.org.uk/youth/sitecore/content/Home/enforcement/~/media/documents/library/Data_Protection/Notices/bsuh_monetary_penalty_notice.ashx.
- ———. “Monetary Penalty Notice: Devon County Council,” December 10, 2012. http://webarchive.nationalarchives.gov.uk/20140603223034/http://ico.org.uk/youth/sitecore/content/Home/enforcement/~/media/documents/library/Data_Protection/Notices/devon_county_council_monetary_penalty_notice.ashx.
- ———. “Monetary Penalty Notice: North Staffordshire Combined Healthcare NHS Trust,” June 11, 2013. http://webarchive.nationalarchives.gov.uk/20140603223034/http://ico.org.uk/youth/sitecore/content/Home/news/latest_news/2013/~/media/documents/library/Data_Protection/Notices/north-staffordshire-combined-healthcare-nhs-trust-monetary-penalty-notice.ashx.
- Ken Macdonald. “Consultation on Proposed Amendments to the NHS Central Register (Scotland) Regulations 2006 – ICO Response,” February 25, 2015. https://ico.org.uk/media/about-the-ico/consultation-responses/2015/1043385/ico-response-nhs-central-register-20150225.pdf.
- Laurie, Graeme, and Shawn Harmon. “Through the Thicket and Across the Divide: Successfully Navigating the Regulatory Landscape in Life Sciences Research.” University of Edinburgh, Research Paper Series 2013/30 (n.d.). http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2302568.
- Laurie, Graeme, Kathryn Hunter, and Sarah Cunningham-Burley. “Guthrie Cards in Scotland: Ethical, Legal and Social Issues.” The Scottish Government, 2013. http://www.scotland.gov.uk/Resource/0044/00441799.pdf.
- Laurie, Graeme, Kerina Jones, Leslie Stevens, and Christine Dobbs. “A Review of Evidence Relating to Harm Resulting from Uses of Health and Biomedical Data.” Nuffield Council on Bioethics and Wellcome Trust Expert Advisory Group on Data Access, February 3, 2015. http://nuffieldbioethics.org/project/biological-health-data/evidence-gathering/.
- Laurie, G. T. Genetic Privacy: A Challenge to Medico-Legal Norms. New York: Cambridge University Press, 2002.Google Scholar
- “Mason Institute, University of Edinburgh.” http://masoninstitute.org/.
- Matthews-King, Alex. “GPs Prepare to Contact Patients Individually as Care.data Is Relaunched in Some Areas.” Pulse, June 15, 2015. http://www.pulsetoday.co.uk/your-practice/practice-topics/it/gps-prepare-to-contact-patients-individually-as-caredata-is-relaunched-in-some-areas/20010215.article#.VX768RNViko.
- Moore-Colyer, Roland. “Hackers Will Target Online NHS Medical Data, Warns ICO,” February 10, 2015. http://www.v3.co.uk/v3-uk/news/2394660/hackers-will-target-online-nhs-medical-data-warns-ico.
- Narayanan, Arvind, and Vitaly Shmatikov. “De-Anonymizing Social Networks.” In 30th IEEE Symposium on Security & Privacy, 2009. https://www.cs.utexas.edu/~shmat/shmat_oak09.pdf.
- “Northumbria Health Care NHS Foundation.” ICO, May 11, 2015. https://ico.org.uk/action-weve-taken/enforcement/northumbria-health-care-nhs-foundation/.
- Ohm, Paul. “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization.” UCLA Law Review57 (2009): 1701–77.Google Scholar
- “Parliamentary Commissioner for Administration. Third Report – Session 1993–94. Annual Report for 1993.” Document Type: HOUSE OF COMMONS PAPERS, 1993. http://gateway.proquest.com/openurl?url_ver=Z39.88-2004&res_dat=xri:hcpp&rft_dat=xri:hcpp:rec:1993-093380.
- Plimmer, Gill. “NHS Brings to a Halt Two Years of ‘exuberant’ Outsourcing Growth.” FT.com, September 28, 2015. http://www.ft.com/cms/s/0/92059d56-6361-11e5-a28b-50226830d644.html#axzz3z28UbghL.
- Pounder, Chris. “Proposals to Expand Central NHS Register Creates a National Population Register and Significant Data Protection/privacy Risks.” Hawktalk. http://amberhawk.typepad.com/amberhawk/2015/01/proposals-to-expand-central-nhs-register-creates-a-national-population-register-and-significant-data.html.
- “REGULATION (EU) No 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation),” 2016. http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L:2016:119:FULL&from=EN.
- “Remote Access: Flexible Working Made Simple.” N3 Connecting Healthcare, 2016. http://n3.nhs.uk/n3cloudconnect/ConnectAnywhere(remote).cfm.
- Schwartz, Paul M., and Daniel J. Solove. “The PII Problem: Privacy and a New Concept of Personally Identifiable Information.” New York University Law Review 86, no. 6 (2011): 1814–94.Google Scholar
- “South West Yorkshire Partnership NHS Foundation Trust.” ICO, June 3, 2015. https://ico.org.uk/action-weve-taken/enforcement/south-west-yorkshire-partnership-nhs-foundation-trust/.
- Swansea University. “SAIL DATABANK - Publications,” 2015. http://www.saildatabank.com/data-dictionary/publications.
- ———. “SAIL - The Secure Anonymised Information Linkage Databank,” 2015. http://www.saildatabank.com/.
- Sweeney, Latanya, and Ji Su Yoo. “De-Anonymizing South Korean Resident Registration Numbers Shared in Prescription Data.” Technology Science, September 29, 2015. http://techscience.org/a/2015092901.
- Taylor, Mark. Genetic Data and the Law : A Critical Perspective on Privacy Protection. New York: Cambridge University Press, 2012.Google Scholar
- The Information Commissioner’s Office. “Anonymisation: Managing Data Protection Risk Code of Practice,” November 20, 2012. https://ico.org.uk/media/1061/anonymisation-code.pdf.
- The Scottish Government. “Joined-Up Data For Better Decisions: Guiding Principles For Data Linkage,” November 6, 2012. http://www.scotland.gov.uk/Resource/0040/00407739.pdf.
- The Scottish Health Informatics Programme. “A Blueprint for Health Records Research in Scotland,” July 10, 2012. http://www.scot-ship.ac.uk/sites/default/files/Reports/SHIP_BLUEPRINT_DOCUMENT_final_100712.pdf.
- The Scottish Health Informatics Programme, Information Governance Working Group. “SHIP Guiding Principles and Best Practices,” October 22, 2010. http://www.scot-ship.ac.uk/sites/default/files/Reports/Guiding_Principles_and_Best_Practices_221010.pdf.
- The University of Mississippi Medical Center Division of Public Affairs. “UMMC ADMINISTRATION NOTIFIES PATIENTS OF BREACH OF PROTECTED HEALTH AND PERSONAL INFORMATION,” March 21, 2013. https://www.umc.edu/uploadedFiles/UMCedu/Content/Administration/Institutional_Advancement/Public_Affairs/News_and_Publications/Press_Releases/2013/2013-03-21/NR_Notice_Breach_Patient_Info_3_21_13.pdf.
- “Western Health & Social Care Trust.” ICO, July 15, 2015. https://ico.org.uk/action-weve-taken/enforcement/western-health-social-care-trust/.