Death by Data Protection: those lethally secure databases

More patients die because their medical record was wrong than because it was not available. More suffering and injustice are caused because police, justice and care records are not fit for purpose than because they are insecure. There is a very old rule of thumb that about 10% of records will have random errors unless entered by those with a vested interest in their accuracy and in a position to know what is correct. That is not the case with the records on many public databases.   

The Audit Commission has just published “Figures you can trust“, a briefing on data quality in the NHS. It is not a hatchet job, That would be far too easy. It is a succinct and readable summary of what needs to be done to make medical records fit for purpose. Because unless the traditional disciplines of data management are applied before records are consolidated the result can be worse than useless.

Think Tanks spout the mantra of “evidence based policy”.  The reality is more commonly  “policy based evidence”. Any data likely to used for resource allocation, let alone performance monitoring, will be systematically massaged before it is passed upwards.

I have sat in on a number of the meetings in the EURIM work stream on Information Governance. The subgroup on “basic principles” found a morass of definitions that confuses rather than clarifies debate and some profound mismatches with regard to priorities and values. I am personally most concerned over the attitude that equates “Information Governance” with “Data Protection”.  

To my mind the objective of “Information Governance” is to have data that is fit for purpose, when and where it is needed. Security and protection are not objectives. They are core parts of the quality control process, alongside checking for accuracy.

Data that is insecure can be accidentally or deliberately falsified. It can also be used in ways that negate the objective: e.g. data used to accredit secure transactions also passed to fraudsters.

But data has to be regularly used and validated if it is to remain fit for purposes. Otherwise it can become out-of-date and useless, like the fingerprints of a bricklayer, the physical address of an itinerant worker or the IP address of a fraudster using a fast flux host.

“Secrecy” and confidentiality are all too often used to mask error and ignorance.

And as for the “power of information” …

“Where is the wisdom we have lost in knowledge

Where is the knowedge we have lost in information”

T S Eliot, Choruses from the Rock  





Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Philip, you are quite right, and in fact are merely restating the law - the fourth Data Protection Act principle: "Personal data shall be accurate and, where necessary, kept up to date."

And if it isn't being regularly used, the data should most likely be deleted anyway under the 2nd, 3rd and 5th principles.