Dangers from Within? Looking Inwards at the Role of Maladministration as the Leading Cause of Health Data Breaches in the UK

  • Leslie Stevens
  • Christine Dobbs
  • Kerina Jones
  • Graeme Laurie


Despite the continuing rise of data breaches in the United Kingdom’s health sector there remains little evidence or understanding of the key causal factors leading to the misuse of health data and therefore uncertainty remains as to the best means of prevention and mitigation. Furthermore, in light of the forthcoming General Data Protection Regulation, the stakes are higher and pressure will continue to increase for organisations to adopt more robust approaches to information governance. This chapter builds upon the authors’ 2014 report commissioned by the United Kingdom’s Nuffield Council on Bioethics and Wellcome Trust’s Expert Advisory Group on Data Access, which uncovered evidence of harm from the processing of health and biomedical data. One of the review’s key findings was identifying maladministration (characterised as the epitome of poor information governance practices) as the number one cause for data breach incidents. The chapter uses a case study approach to extend the work and provide novel analysis of maladministration and its role as a leading cause of data breaches. Through these analyses we examine the extent of avoidability of such incidents and the crucial role of good governance in the prevention of data breaches. The findings suggest a refocus of attention on insider behaviours is required, as opposed to, but not excluding, the dominant conceptualisations of data misuse characterised by more publicised (and sensationalised) incidents involving third-party hackers.


Privacy Information governance Data breach Data security Patient data Harm 


  1. “About Farr Institute @ CIPHER.” http://www.farrinstitute.org/centre/CIPHER/34_About.html.
  2. “About Farr Institute @ Scotland.” http://www.farrinstitute.org/centre/Scotland/3_About.html.
  3. “About the Farr Institute.” Farr Institute, 2015. http://www.farrinstitute.org/.
  4. “Administrative Data Research Centre Scotland,” n.d. http://adrn.ac.uk/centres/scotland.
  5. Administrative Data Research Network. “About Us,” 2015. http://adrn.ac.uk/about.Google Scholar
  6. “Brighton and Sussex University Hospitals NHS Trust | Breach Watch.” Breach Watch, 2012. http://breachwatch.com/2012/06/01/brighton-and-sussex-university-hospitals-nhs-trust/.
  7. Carter, Pam, Graeme T Laurie, and Mary Dixon-Woods. “The Social Licence for Research: Why Care.data Ran into Trouble.” Journal of Medical Ethics, January 23, 2015. doi:10.1136/medethics-2014-102374.
  8. Centre for Health and the Public Interest. “The Contracting NHS – Can the NHS Handle the Outsourcing of Clinical Services?” http://chpi.org.uk/wp-content/uploads/2015/04/CHPI-ContractingNHS-Mar-final.pdf.
  9. “Chronology of Data Breaches Security Breaches 2005 – Present.” Privacy Rights Clearinghouse, 2016. http://www.privacyrights.org/sites/privacyrights.org/files/static/Chronology-of-Data-Breaches_-_Privacy-Rights-Clearinghouse.pdf.
  10. Cooper, Charlier. “Thousands of Patients at Risk from NHS Outsourcing.” The Independent. http://www.independent.co.uk/life-style/health-and-families/health-news/thousands-of-patients-at-risk-from-nhs-outsourcing-9799937.html.
  11. Council of the European Union. Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation) [first Reading] – Analysis of the Final Compromise Text with a View to Agreement, 2015.Google Scholar
  12. Department of Health. “Information: To Share or Not to Share? The Information Governance Review,” March 2013. https://www.gov.uk/government/publications/the-information-governance-review.
  13. ———. “Research Governance Framework for Health and Social Care: Second Edition,” April 24, 2005. http://www.dh.gov.uk/prod_consum_dh/groups/dh_digitalassets/@dh/@en/documents/digitalasset/dh_4122427.pdf.
  14. Dunn, John E. “The UK’s 11 Most Infamous Data Breaches 2015.” Techworld, October 30, 2015. http://www.techworld.com/security/uks-11-most-infamous-data-breaches-2015-3604586/.
  15. European Ombudsman. “What Is Maladministration?,” n.d. http://www.ombudsman.europa.eu/atyourservice/couldhehelpyou.faces.
  16. “Fax Blunder Leads to £55,000 Penalty for Staffordshire Trust.” ICO, June 13, 2013. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2013/06/fax-blunder-leads-to-55-000-penalty-for-staffordshire-trust/.
  17. Gymrek, Melissa, Amy L. McGuire, David Golan, Eran Halperin, and Yaniv Erlich. “Identifying Personal Genomes by Surname Inference.” Science 339, no. 6117 (January 18, 2013): 321–24. doi:10.1126/science.1229566.CrossRefGoogle Scholar
  18. “Healthcare Data Breach Hits University of Mississippi Medical Center,” n.d. http://www.databreachwatch.org/healthcare-data-breach-hits-university-of-mississippi-medical-center/.
  19. ———. “Civil Monetary Penalties Issued,” 2016. https://ico.org.uk/media/action-weve-taken/csvs/1042752/civil-monetary-penalties.csv.
  20. ———. “Data Breach Trends,” December 22, 2015. https://ico.org.uk/action-weve-taken/data-breach-trends/.
  21. ———. “Data Protection Act 1998: Information Commissioner’s Guidance about the Issue of Monetary Penalties Prepared and Issued under Section 55C (1) of the Data Protection Act 1998,” December 2015. https://ico.org.uk/media/for-organisations/documents/1043720/ico-guidance-on-monetary-penalties.pdf.
  22. Ken Macdonald. “Consultation on Proposed Amendments to the NHS Central Register (Scotland) Regulations 2006 – ICO Response,” February 25, 2015. https://ico.org.uk/media/about-the-ico/consultation-responses/2015/1043385/ico-response-nhs-central-register-20150225.pdf.
  23. Laurie, Graeme, and Shawn Harmon. “Through the Thicket and Across the Divide: Successfully Navigating the Regulatory Landscape in Life Sciences Research.” University of Edinburgh, Research Paper Series 2013/30 (n.d.). http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2302568.
  24. Laurie, Graeme, Kathryn Hunter, and Sarah Cunningham-Burley. “Guthrie Cards in Scotland: Ethical, Legal and Social Issues.” The Scottish Government, 2013. http://www.scotland.gov.uk/Resource/0044/00441799.pdf.
  25. Laurie, Graeme, Kerina Jones, Leslie Stevens, and Christine Dobbs. “A Review of Evidence Relating to Harm Resulting from Uses of Health and Biomedical Data.” Nuffield Council on Bioethics and Wellcome Trust Expert Advisory Group on Data Access, February 3, 2015. http://nuffieldbioethics.org/project/biological-health-data/evidence-gathering/.
  26. Laurie, G. T. Genetic Privacy: A Challenge to Medico-Legal Norms. New York: Cambridge University Press, 2002.Google Scholar
  27. “Mason Institute, University of Edinburgh.” http://masoninstitute.org/.
  28. Matthews-King, Alex. “GPs Prepare to Contact Patients Individually as Care.data Is Relaunched in Some Areas.” Pulse, June 15, 2015. http://www.pulsetoday.co.uk/your-practice/practice-topics/it/gps-prepare-to-contact-patients-individually-as-caredata-is-relaunched-in-some-areas/20010215.article#.VX768RNViko.
  29. Moore-Colyer, Roland. “Hackers Will Target Online NHS Medical Data, Warns ICO,” February 10, 2015. http://www.v3.co.uk/v3-uk/news/2394660/hackers-will-target-online-nhs-medical-data-warns-ico.
  30. Narayanan, Arvind, and Vitaly Shmatikov. “De-Anonymizing Social Networks.” In 30th IEEE Symposium on Security & Privacy, 2009. https://www.cs.utexas.edu/~shmat/shmat_oak09.pdf.
  31. NHS Wales Informatics Service. “Information Governance,” 2015. http://www.wales.nhs.uk/nwis/page/52618.Google Scholar
  32. “Northumbria Health Care NHS Foundation.” ICO, May 11, 2015. https://ico.org.uk/action-weve-taken/enforcement/northumbria-health-care-nhs-foundation/.
  33. Ohm, Paul. “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization.” UCLA Law Review57 (2009): 1701–77.Google Scholar
  34. “Parliamentary Commissioner for Administration. Third Report – Session 1993–94. Annual Report for 1993.” Document Type: HOUSE OF COMMONS PAPERS, 1993. http://gateway.proquest.com/openurl?url_ver=Z39.88-2004&res_dat=xri:hcpp&rft_dat=xri:hcpp:rec:1993-093380.
  35. Plimmer, Gill. “NHS Brings to a Halt Two Years of ‘exuberant’ Outsourcing Growth.” FT.com, September 28, 2015. http://www.ft.com/cms/s/0/92059d56-6361-11e5-a28b-50226830d644.html#axzz3z28UbghL.
  36. Ponemon Institute. “2015 Cost of Data Breach Study: Global Analysis,” 2015. http://www-03.ibm.com/security/data-breach/.Google Scholar
  37. Pounder, Chris. “Proposals to Expand Central NHS Register Creates a National Population Register and Significant Data Protection/privacy Risks.” Hawktalk. http://amberhawk.typepad.com/amberhawk/2015/01/proposals-to-expand-central-nhs-register-creates-a-national-population-register-and-significant-data.html.
  38. “REGULATION (EU) No 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation),” 2016. http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L:2016:119:FULL&from=EN.
  39. “Remote Access: Flexible Working Made Simple.” N3 Connecting Healthcare, 2016. http://n3.nhs.uk/n3cloudconnect/ConnectAnywhere(remote).cfm.
  40. Schwartz, Paul M., and Daniel J. Solove. “The PII Problem: Privacy and a New Concept of Personally Identifiable Information.” New York University Law Review 86, no. 6 (2011): 1814–94.Google Scholar
  41. Sethi, Nayha, and Graeme T. Laurie. “Delivering Proportionate Governance in the Era of eHealth: Making Linkage and Privacy Work Together.” Medical Law International 13, no. 2–3 (June 1, 2013): 168–204. doi:10.1177/0968533213508974.CrossRefGoogle Scholar
  42. “South West Yorkshire Partnership NHS Foundation Trust.” ICO, June 3, 2015. https://ico.org.uk/action-weve-taken/enforcement/south-west-yorkshire-partnership-nhs-foundation-trust/.
  43. Swansea University. “SAIL DATABANK - Publications,” 2015. http://www.saildatabank.com/data-dictionary/publications.
  44. ———. “SAIL - The Secure Anonymised Information Linkage Databank,” 2015. http://www.saildatabank.com/.
  45. Sweeney, Latanya, and Ji Su Yoo. “De-Anonymizing South Korean Resident Registration Numbers Shared in Prescription Data.” Technology Science, September 29, 2015. http://techscience.org/a/2015092901.
  46. Taylor, Mark. Genetic Data and the Law : A Critical Perspective on Privacy Protection. New York: Cambridge University Press, 2012.Google Scholar
  47. The Information Commissioner’s Office. “Anonymisation: Managing Data Protection Risk Code of Practice,” November 20, 2012. https://ico.org.uk/media/1061/anonymisation-code.pdf.
  48. The Scottish Government. “Joined-Up Data For Better Decisions: Guiding Principles For Data Linkage,” November 6, 2012. http://www.scotland.gov.uk/Resource/0040/00407739.pdf.
  49. The Scottish Health Informatics Programme. “A Blueprint for Health Records Research in Scotland,” July 10, 2012. http://www.scot-ship.ac.uk/sites/default/files/Reports/SHIP_BLUEPRINT_DOCUMENT_final_100712.pdf.
  50. The Scottish Health Informatics Programme, Information Governance Working Group. “SHIP Guiding Principles and Best Practices,” October 22, 2010. http://www.scot-ship.ac.uk/sites/default/files/Reports/Guiding_Principles_and_Best_Practices_221010.pdf.
  51. The University of Mississippi Medical Center Division of Public Affairs. “UMMC ADMINISTRATION NOTIFIES PATIENTS OF BREACH OF PROTECTED HEALTH AND PERSONAL INFORMATION,” March 21, 2013. https://www.umc.edu/uploadedFiles/UMCedu/Content/Administration/Institutional_Advancement/Public_Affairs/News_and_Publications/Press_Releases/2013/2013-03-21/NR_Notice_Breach_Patient_Info_3_21_13.pdf.
  52. “Western Health & Social Care Trust.” ICO, July 15, 2015. https://ico.org.uk/action-weve-taken/enforcement/western-health-social-care-trust/.

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Leslie Stevens
    • 1
  • Christine Dobbs
    • 2
  • Kerina Jones
    • 3
  • Graeme Laurie
    • 1
  1. 1.Mason InstituteUniversity of Edinburgh School of Law, Old CollegeEdinburghUK
  2. 2.GENCASSwansea UniversitySwanseaUK
  3. 3.Swansea University Medical SchoolSwanseaUK

Personalised recommendations