Imillian -

NHS whistleblowers’ anonymity at mercy of inadequate trust IT policies and processes

They were clapped in the streets for their bravery at the height of the Covid-19 pandemic, but some NHS staff who raise workplace concerns are suffering abuse as a result

This article can also be found in the Premium Editorial Download: Computer Weekly: NHS whistleblowers at risk due to poor IT policies

NHS whistleblowers risk being ousted and subsequently persecuted because IT systems and policies at NHS trusts fail to protect their identities after they raise concerns.

There is tribunal-tested evidence of whistleblowers who have been persecuted in NHS trusts. Unless anonymity can be guaranteed, there will be a reluctance by many to come forward with concerns, which can sometimes be a matter of life and death.

The NHS has an internal policy to protect staff who have concerns, known as NHS Freedom to Speak Up (FTSU), which was introduced 2016. But whistleblower identities are often stored in Word and Excel files on NHS trust computers, leaving them open to snooping by senior executives.

All NHS and foundation trusts have a FTSU guardian in post, working to the guidance of the National Guardian’s Office (NGO). FTSU guardians are individuals within trusts who whistleblowers can raise concerns with. These guardians take concerns forward into an investigation and keep the whistleblower informed. At no time will the guardian reveal the name of the whistleblower.

But one former FTSU guardian, who dealt with hundreds of cases over a couple of years at one NHS trust, told Computer Weekly: “There is nothing stopping executives in many NHS trusts looking at computer files about cases.”

He said at the trust where he worked, FTSU information was stored in a password-protected file on a shared drive, to which a senior executive had been given access. “When I was a guardian, a senior executive was under investigation through FTSU. I found out she had contacted the IT department to get access to the Freedom to Speak Up files and had gained access to the investigation files about her.”

When the guardian raised concerns about the executive accessing the information, he was suspended after a counter-allegation was made against him.

The senior executive was not reprimanded.

Another FTSU guardian, currently in the position at a trust that stores the information in a password-protected file on a shared drive, said if a senior trust executive were to approach a junior member of IT staff for access, she doubted they would be refused.

Security in poor health

Computer Weekly spoke to number of well-placed sources about the FTSU policy. The contacts, who wished to remain anonymous, told stories of weak access management and tech security when it came to information made to FTSU guardians, including the identities of those who come forward.

“The problem is that many are storing this information on spreadsheets and in Word documents which can be accessed by people within the trusts,” said one IT professional with detailed knowledge of the FTSU policy.

Read more about whistleblowing

The personal protective equipment shortages, highlighted by NHS staff during the height of the Covid-19 pandemic, is a telling reminder of why whistleblowing in confidence is essential. Unreported problems in the NHS can lead to dangerous inaction.

NHS FTSU followed recommendations from Robert Francis QC in his 2015 Freedom to speak up report. This followed an inquiry which examined the causes of the failings in care at Mid Staffordshire NHS Foundation Trust between 2005 and 2009, where there was a high mortality rate in patients admitted as emergencies. A healthcare commission report criticised the trust’s management, detailing the appalling conditions and inadequacies at the hospital.

The Francis Inquiry looked at the reasons why NHS staff would not make trusts aware of problems that could threaten patient safety. “There are disturbing reports of what happens to those who do raise concerns. Yet failure to speak up can cost lives,” said the report’s introduction.

FTSU is described by NHS Improvement, the organisation that regulates NHS trusts in England, as “a national integrated whistleblowing policy that will help standardise the way NHS organisations should support staff who raise concerns”.

More than 35,000 people have come forward through FTSU in the past three years, some highlighting serious safety issues. According to the National Guardian’s Office, about a third concerned patient safety and 45% were in regard to staff bullying. For all the external whistleblowing to the FTSU, there will be many more concerns raised internally.

Trust is paramount

The success of a policy like this requires trust in the system. An FTSU survey in 2015 of 15,000 NHS staff found that 36.6% overall used their employer’s procedure for reporting concerns. About 20% of those who had never raised a concern said it was because they did not trust the system, and nearly 15% said it was because they feared victimisation.

Good whistleblower policy is vital for the health service, but the technology that underpins it must guarantee privacy for staff if more are to raise concerns.

NHS trusts are given guidance on protecting the identities of people who come forward with concerns, but trusts are left to decide how they meet the guidance, including how they store information.

A Freedom of Information request made to the Epsom and St Helier University Hospitals NHS Trust last year by former NHS consultant psychiatrist Minh Alexander, who campaigns for whistleblower protection, revealed that Freedom to Speak Up data is stored in Excel spreadsheets and Word documents in a trust drive as well as in a dedicated email inbox.

“In the NHS, with a workforce of 1.3 million and thousands of staff concerns raised daily on the assumption of confidentiality, it is horrific to think that some managers could be snooping like Big Brother on their staff's disclosures”
Minh Alexander, former NHS consultant psychiatrist

The trust said it was not possible for any unauthorised individuals to access Freedom to Speak Up case data if they choose not to follow trust policy. “Only authorised personnel can access these files – the two Freedom to Speak Up guardians, and one Freedom to Speak Up advocate,” it said.

Alexander recently launched a petition to Parliament demanding changes to UK law “to protect whistleblowers and the public”.

The Public Interest Disclosure Act 1998 (PIDA) is the law to protect whistleblowers from detrimental treatment by their employer. The petition calls on the government to “…reform whistleblowing law to: require disclosures be acted upon and whistleblowers protected, with criminal and civil penalties for organisations and individuals failing to do so; establish an independent parliamentary body on whistleblowing; and provide easy access to redress”.

Changes to the law must be accompanied by changes to IT systems and access policies, added Alexander. She said the fact that NHS trust executives can access data “makes a total mockery of any notional protected status under the law and makes NHS staff extremely vulnerable”.

“Whistleblower confidentiality, and in some cases anonymity, is critically important in the protection of them and therefore the public interest,” said Alexander.

“Insecure IT systems which are open to abuse of whistleblowers’ personal data and details of their disclosures, or which are even designed with abuse in mind, are very dangerous. They represent a threat to effective investigation of wrongdoing, increase the risk of evidence being dishonestly destroyed, and give abusive employers more opportunity to silence and victimise whistleblowers.

“In the NHS, with a workforce of 1.3 million and thousands of staff concerns raised daily on the assumption of confidentiality, it is horrific to think that some managers could be snooping like Big Brother on their staff’s disclosures.”

The National Guardian’s Office, which provides FTSU guidance, advises that cases should be recorded in compliance with local data, information management and security policies.

How trusts are able to keep information confidential is a matter for them to sort out. The NGO does not have any powers other than to tell trusts how they should do things.

Henrietta Hughes, national guardian for the NHS, who heads up the National Guardian’s Office, said: “The guidance I have issued makes it very clear that speaking up cases should be recorded in a consistent and systematic way; with due regard for confidentiality; and in compliance with local data and information management, and security policies.

“In addition to the data protection issues that would arise from anyone other than the guardian accessing information imparted in confidence, such action would also fundamentally undermine the independence of the guardian role that is a vital component of their job to help make speaking up business as usual in the NHS.”

Computer Weekly asked NHS Improvement whether there were any processes in place, in writing, to stop NHS trust executives accessing Freedom to Speak Up files, and what disciplinary action would be taken against an NHS trust executive who gained access to a Freedom to Speak Up file.

The NHS regulator said: “Openly improving care and working practices is good for patients and good for staff, which is why all NHS executive directors and their teams have a responsibility for creating a safe culture and an environment in which workers are able to highlight problems.

“As well as fostering a supportive learning culture, every member of NHS staff should look to make suggestions for improvement as set out in our Freedom to Speak Up guidance, developed jointly with the National Guardian’s Office, as well as following all requirements for data protection.”

Anonymity-enabling technology

If NHS trusts are to increase confidence for whistleblowers, there are technology and process options available.

Alexei Balaganski, lead analyst at KuppingerCole Analysts, said securing whistleblower policies has to start with a way to enable secure, anonymised communications between whistleblowers and their guardians.

“Ideally, it has to be a tool that’s encrypted end-to-end, does not leave any trail and offers additional anonymisation functions. Obviously, it should not be email or any kind of sharing of Office documents, since those reveal too much metadata about the sender,” he said. “Nothing should be stored on-premise, neither on the guardian’s computer or on any corporate-managed file server.”

“At the very least, people should consider encrypting all their sensitive data using tools which are not governed by corporate access policies”
Alexei Balaganski, KuppingerCole Analysts

He said there were a selection of whistleblowing-as-a-service platforms in the market today. “But if this is not an option, at the very least, people should consider encrypting all their sensitive data using tools which are not governed by corporate access policies.”

But Balaganski added that security tools are worthless when there are no established organisational policies and workflows. “It is also important to remember that company administrators would be able to access a company-managed computer remotely and just copy any files which are currently opened. Thus, again, tools alone without proper training and awareness can be insufficiently reliable.”

For example, passwords can be gleaned through social engineering techniques by managers using their seniority to attempt to gain access.

The former FTSU guardian told Computer Weekly that three years ago he received one-day training to become a guardian and does not recall this including any detail about electronic storage or transmission of information.

Building confidence among staff in the NHS to come forward with concerns is a multi-faceted challenge, with technology a core part, but things are not helped by a tarnished track record.

According to the national NHS staff survey 2019, the NHS is rife with bullying, and staff are reluctant to report it. In the 2019 survey, about 65,000 staff across all trusts said they had experienced some form of harassment, bullying or abuse at the hands of a manager, and more than 97,000 said they had been harassed, bullied or abused by other colleagues – but only 43% of cases were reported. The sample was 540,000, out of a total of just over one million staff.

Unfair treatment of whistleblowers

There are also well-documented examples of whistleblowers being persecuted after coming forward, including being dismissed unfairly. NHS trusts have been taken to tribunals under PIDA, but not before whistleblowers’ lives had been turned upside-down.

In 2016, NHS nurse Linda Fairhall was suspended after 40 years after she raised concerns over safe staffing issues at North Tees and Hartlepool NHS Trust, where she had worked since 1979.

She was suspended and then sacked after trying to start a whistleblowing process. Fairhall successfully challenged her employer’s decision to dismiss her, but the impact of the ordeal left her unable to work. According to a Teeside Live report, a tribunal panel noted the close proximity between the beginning of her whistleblowing process and her suspension.

In 2015, Andrew Smith, a trade union representative and nurse, was dismissed by Mid Essex Hospital NHS Trust after raising concerns. A tribunal found he was unfairly dismissed from the trust for whistleblowing.

In 2011, Kevin Beatt, a cardiologist at Croydon Health Services, was sacked after whistleblowing about unsafe equipment. He won an employment tribunal and was eventually awarded £870,000 in compensation. He was not given protected status as a whistleblower and was instead fired for what the trust claimed was “unsubstantiated and unproven allegations of an unsafe service” amounting to gross misconduct.

Read the petition to increase legal protection for whistleblowers •

Read more on Healthcare and NHS IT

Data Center
Data Management