Should organisations share data breach information?

Should you share data breach information? | Community

An interesting question put to two commercial CEO’s, which is a question of some relevance for the NHS.

One of the challenges I believe many organisations face is the fact that if they do anything to improve Information Governance capability, the process of doing so invariably exposes issues that have previously gone un-noticed or worse,  ignored.

The NHS policy currently states that anything constituting a breach above a certain level, must be disclosed as a Serious Untoward Incident (SUI), which is then made publically available through Strategic Health Authority (SHA) websites.

Flash Light OnWhen it comes to employing information governance technology, for example identity and access management, compliance management or privacy and confidentiality auditing solutions inevitably hidden and / or un-known issues are exposed, more often than not with a serious number that qualify as SUI’s.

Ironically a consequence of being forced to publish information in SUI’s creates a fairly significant disincentive for organisations to take positive action by investment in technologies that help improve compliance capability.

I wrote to the NHS Information Governance team at NHS Connecting for Health expressing this concern and ask whether organisations could be granted a SUI publication amnesty for a short defined period, providing consequently time to put the technology to good use. Despite chasing I unfortunately didn’t manage to secure any response from them on this idea.

As it is the SUI process is somewhat flawed, in that it is open to a wide range of interpretation, you only have to look at what has been published previously on SUI incidents to see that this is not a satisfactory process as it stands.

I am a supporter of greater transparency and openness in healthcare, but I think it has to be acknowledged that transparency and openness can sometimes be a problem, rather than a cure. Especially when the standard for what should be published is interpreted so differently.

Leave a Reply

Your email address will not be published.