Good information governance – a key aspect for achieving savings and efficiency gains

The recent publication of the “Information on the Quality of Services – Final Report” released to the government by the National Quality Board, highlighted “40% of health budgeting areas, representing £20bn of annual expenditure, are without any nationally collected quality information”.

Representing a significant amount of public expenditure, within which there will unquestionably be significant opportunities for savings and efficiency gains, information has therefore been acknowledged to be the key to NHS reform and at the heart of the new coalition government strategy (Equity and Excellence: Liberating the NHS), which promotes the need for an information revolution in health to deliver greater choice and control.

Staff use of operational clinical and administrative systems and the data inputs they make are therefore set to become increasingly important as organisations seek to increase operational analysis capability and improved measures of performance, with the objective of identifying ways to make the urgent and significant savings and efficiency gains required.

Time now for organisations to re-appraise their approach with information governance investment and capability development to exploit better the support this lends to the development of information assets and the immediate requirement to expose shortfalls or gaps in the use of operational systems.

Change of perception required first?

The range of technology solutions supporting greater efficiency and reliability in addressing information governance toolkit requirements is increasing rapidly. Most if implemented correctly deliver a significant range of benefits as well as very good returns on investment, in relatively short time scales. However, focus and priority on technology investment as the best option for addressing information governance requirements has yet to mature.

For example, the requirement to make improvements on data security leading to the wide scale adoption of portable device encryption, only became urgent in the wake of HMRC losing disks holding unencrypted records on 23m UK citizens.

Even this was only subsequent to the then Prime Minister calls for a Cabinet Office review of government data handling procedures, leading to the identification of serious weaknesses across health in the handling of sensitive, private information. At this time, the NHS Information Governance Toolkit was nearly six years old.

Within the toolkit were requirements and guidelines underpinning legal and statutory obligations on data security. Yet the wide scale use of device encryption technologies had not become the norm. Alongside the likes of operational investments in network operating systems, data backup, disaster recovery / fault tolerance and anti-virus. All that were accepted to be, not just one time procurements, but items (concerning data security) requiring regularly review and upgrade.

After twenty years of increased technology infrastructure investment, it has been naturally accepted that these back-office operational elements of the IT infrastructure warrant ongoing investment with high levels of oversight, and regular maintenance.

Because a failure of any of these can have an obvious and detrimental effect on the ability of the organisation to conduct its business, with the potential to adversely affect quality of care during any period of disruption. Yet the need for data encryption of mobile devices was not appreciated in the same way.

In another example the requirement 8-305 referenced earlier, represents a significant program of work if undertaken manually. It is not unusual for trusts to have anything up to 20 major operational systems in daily use, across the computing estate. Each with its own user account and access rights mechanism. Assessment and subsequent review of user account status for all staff, across these systems to support attainment of level 2, in the first instance, is not an insignificant amount of work.

Even with the gathering of user account data and associated access logs, and subsequent analysis of this data accomplished. Establishing a process of ongoing management review and control, commiserate with the commonly complex staffing arrangements and substantial rate of staff change that occurs within trusts, requires a considerable amount of management time and effort.

Addressed manually this translates to not only an inefficient use of resources and occurrence of avoidable costs, but an information governance function that is operating at an unnecessary high level of risk.

Despite the availability of proven technology and strong business benefits delivered through use of technology to meet and maintain standards for 8-305, very much more cost effectively and with considerably less risk. Few trusts have managed to succeed with a business case to secure support for the investment required.

Conversely, a good number of trusts have acknowledged the wider issue and complexity of staff having to manage multiple logins, resulting in positive investment into single sign-on technologies.

There is of course an acknowledged difference in regard to outcomes achieved by the investment in single sign-on, as opposed to that addressing the user account management and maintenance process.

The case for single sign-on technology is an easier one to make, given that proper implementation of these technologies delivers easily quantifiable and perceptible end-user benefits.

By comparison, encryption and identity and access management technologies are largely administrative tools that typically require a greater level of investment of resources at the requirements qualification stage. Despite there being some important and not insignificant downstream benefits to end users delivered with these technologies, these are perhaps not so easily recognised and qualified.

Information Governance Culture

What the previous examples serve to demonstrate is that currently business cases to support technology investments for information governance achieve greater priority, if the outcome involves deliverables that are materially beneficial to operational end users.

Negatively, this reflects there to be a gap in correlating the benefits of making technology investments to deliver improved information governance capability, with that of any consequential and positive effect delivered downstream. In particular service quality improvements, achieved through better use of operational systems and development of information services.

In addressing this, an organisation needs to perhaps first acknowledge that the burden of responsibility and accountability for compliance and good practice shared by all employees in any organisation. This can be a factor that consequently has the potential to undermine the organisations efforts to improve information quality.

  • Compliance requirements can be perceived s complex, daunting and presented in a manner that creates concern rather than assurance,
  • Staff consequently lack confidence to challenge ways of working and identify shortcomings in the use of systems, policy, process and / or procedure,
  • Information Governance becomes an information inhibitor, in the worse cases encouraging staff to limit the amount of information recorded on work activities.

The information on staff activities recorded across the various operational systems employed in the delivery of care, provides the organisation with a valuable profile that can help identify shortcomings in the use of systems, and importantly a baseline on the extent and range of information recorded.

The same information that can help identify where an organisation should be targeting efforts to make savings and efficiency gains, and in the not too distant future, the measures by which commissioners and patients will be making their choices for which service from which provider they use.

Organisations now need to consider staff culture and perception in regard to the role and value of information governance, to ensure information governance is not just considered a policing tool.

Instead, investment in capability should also be cultivating acknowledgement and support from staff in the capacity for information governance to assist in the identification of poorly maintained and supported information resources.

The past challenge in determining by what means or with what catalyst the change to an organisation information governance culture could be instigated, is now resolved thanks to recent advances in technology.

Organisations through exploitation of these technologies can create the environment within which development of staff culture and information resources are developed into the valuable business assets required for the “information revolution” to come.

The method to address the shortfall in information on the £20bn of annual health expenditure identified by the National Quality Board, inevitably set to become an aspect of intense focus and an area trusts will be required to address.

A significant governance technology example?

Privacy auditing technology solutions are a good example of a technology addressing key points raised in this paper:

  • Technology that delivers significant reductions in the level of resource effort and investment required, not just in validating the levels of compliance achieved across operational and information systems, but also in ensuring these are maintained going forward.
  • A solution by which organisations can identify poorly maintained / utilised information assets, and key areas of risk.
  • The method by which a measure of staff information governance culture, awareness and attitudes can be ascertained, identifying staff development and training needs.

With a thorough understanding of the use of information assets, organisations can quickly address information governance risk issues, and requirements to facilitate better use of systems supporting the development of information assets, that underpin future cost savings and efficiency gains.

In the first task of obtaining information on the use of the many disparate business and clinical applications, Privacy audit technology can provide the widest auditing support with turnkey solutions working with over 100 existing health applications, new applications are added very easily.

With the privacy audit centralised all required reports on operational systems access verification, with full details of user interactions with medical records can be more readily available, produced through either pre-built reports or if required, custom reports. Within a very short space of time organisations would not just be forensic ready, but instead forensically capable in the management and audit of electronic health data.

The solution can then be rapidly utilised to easily demonstrate a reliable and proactive approach being taken by trusts in the management of private and sensitive electronic information. It is also technology that serves the end user too, through the assurance on their activities working with electronic health systems, gaps in knowledge and capability can be identified, and then addressed through training and education, encouraging the workforce to become more accomplished and resourceful in their use of the information systems available.

The development of staff information governance culture is facilitated by the development of user confidence, with mistakes or inappropriate business practices being detected and corrected before becoming an issue for the user and the organisation concerned.

Business benefits to the organisation looking ahead are significant, with the ability to pro-actively detect and resolve electronic governance issues, significantly reducing the negative business impact and consequential costs incurred. At the same time developing a user community with a greater understanding and appreciate in the use and value of the information systems estate.


Utilised correctly information governance technologies like privacy audit deliver benefits that extend well beyond just assessment of toolkit requirements, even beyond the implementation of a reliable and robust sensitive patient data management solution.

Privacy audit represents arguably the best catalyst and mechanism by which change to organisation culture and better perceptions on the value of information assets and governance investments, underpinning development of service quality whilst the NHS grapples with the savings to be made, with:

  • Better information; 
  • A better informed organisation;
  • Better decision making capability;
  • Better outcomes for the patients.

The restoration and development of public confidence for the NHS handling of private and sensitive data very quickly put onto a positive footing.

Future investment in solutions increasing the availability of patient health information assured with public support delivered by the confidence that this data is managed properly by the NHS and utilised only on a need to know basis.

Leave a Reply

Your email address will not be published.