NHS whistleblower privacy concerns passed on to regulator, but campaigners not holding their breath

NHS Improvement is looking into criticism of the lack of guarantees of confidentiality for NHS whistleblowers due to inadequate privacy technology and policies, following an investigation by Computer Weekly.

The National Guardian’s Office (NGO), which oversees an NHS programme that encourages staff to speak out if they have concerns at work, sent the regulator questions raised by Computer Weekly over whistleblower identity protection.

These included unauthorised access to files containing information about whistleblowers being made possible because of inadequate IT security and policies. This undermines the NHS’s attempts to encourage staff to inform them if they have concerns about something.

NHS staff are encouraged to raise concerns, which could in some cases alert authorities to dangers to patients and staff, through a policy introduced in 2016, known as NHS Freedom To Speak Up (FTSU). But whistleblowers’ identities are often stored in Word and Excel files on NHS trust computers, leaving them open to snooping by senior executives.

Computer Weekly revealed details of a case in which a senior NHS trust executive had requested and been granted access to confidential files about a complaint against her.

There is a lack of confidence among the designated individuals, known as guardians, at each NHS trust who work directly with whistleblowers on their cases. An FTSU guardian, currently at a trust that stores such information in a password-protected file on a shared drive, said that if a senior trust executive were to approach a junior member of IT staff for access, she doubted they would be refused.

Following Computer Weekly’s report, a spokesman at the NGO, which oversees FTSU, said the organisation could not give details of what it had passed on to the regulator, but he added: “Suffice to say that when we have received information that our guidance for guardians on recording and storing information has not been followed, we have referred the matter to regulators, who have taken action and have ongoing oversight.”

NHS Improvement, which regulates the NHS, has acknowledged the concerns at the highest level. In response to an email from Minh Alexander, a former NHS consultant psychiatrist, requesting details of how NHS Improvement would address the concerns, Harding acknowledged the email and said she had passed the concerns to Tom Grimes, head of advocacy and learning (FTSU) at NHS Improvement.

“Please take this email as acknowledgement of receipt for yours,” said Harding’s email. “I will ask Tom [Grimes] and his team to look into this – we will be in touch in due course.”

Computer Weekly emailed Harding for comment on 16 September with Grimes copied in, but had received no response when going to press.

One former guardian, who alerted the NGO, NHS Improvement and the Care Quality Commission when he found out that a senior trust manager had accessed FTSU files, said nothing was done. “I have no faith in them – they have done nothing for 18 months,” he told Computer Weekly.

Guaranteeing anonymity is essential if the NHS FTSU programme is to be a success. With issues within the NHS involving matters of life and death, staff must be reassured that their identities will be protected.

According to the national NHS staff survey 2019, bullying is widespread in the health service and staff are reluctant to report it. In the 2019 survey, about 65,000 staff across all trusts said they had experienced some form of harassment, bullying or abuse at the hands of a manager, and more than 97,000 said they had been harassed, bullied or abused by other colleagues – but only 43% of cases were reported.

Current methods of storing, sharing and protecting whistleblower files do not fill staff with confidence. Alexei Balaganski, lead analyst at KuppingerCole Analysts, said tools must be encrypted end to end, must not leave any trail and must offer additional anonymisation functions. “Obviously, it should not be email or any kind of sharing of Office documents, since those reveal too much metadata about the sender,” he said. “Nothing should be stored on-premise, neither on the guardian’s computer nor on any corporate-managed file server.”

Henrietta Hughes, national guardian for the NHS, who heads up the National Guardian’s Office, said: “The guidance I have issued makes it very clear that speaking up cases should be recorded in a consistent and systematic way, with due regard for confidentiality, and in compliance with local data and information management, and security policies.”

But Alexander said in her email to Harding: “This is not at all reassuring as it is the very policies of storing highly sensitive material on insecure systems that are in question.”

Alexander told Computer Weekly that she and whistleblower colleagues will continue pressing regulators hard for real evidence “that this truly grave governance failure has been put right”.

She added: “Too often, the government makes superficial claims and promises towards whistleblowers, with little intention of delivering. This shocking systemic mismanagement of whistleblower confidentiality is a fundamental breach of trust, not just with staff but with the public, and we have no intention of letting this matter go.”

And there is good reason to protect the identities of people who speak up. There are examples of whistleblowers being persecuted after coming forward, including being dismissed unfairly. NHS trusts have been taken to tribunals under the Public Interest Disclosure Act 1998, which protects whistleblowers from detrimental treatment by their employer, but not before whistleblowers’ lives have been turned upside down.

In 2016, NHS nurse Linda Fairhall was suspended after 40 years’ service when she raised concerns about safe staffing issues at North Tees and Hartlepool NHS Trust, where she had worked since 1979.

Fairhall was suspended and then sacked after trying to start a whistleblowing process. She successfully challenged her employer’s decision to dismiss her, but the ordeal left her unable to work. According to a Teeside Live report, a tribunal panel noted the close proximity between the beginning of Fairhall’s whistleblowing process and her suspension.

And in 2011, Kevin Beatt, a cardiologist at Croydon Health Services, was sacked after raising the alarm over unsafe equipment. He won an employment tribunal and was eventually awarded £870,000 in compensation. He was not given protected status as a whistleblower and was instead dismissed for what the trust claimed was “unsubstantiated and unproven allegations of an unsafe service”, amounting to gross misconduct.

NHS FTSU followed recommendations from Robert Francis QC in his 2015 Freedom to speak up report. This followed an inquiry that examined the causes of the failings in care at Mid Staffordshire NHS Foundation Trust between 2005 and 2009, when there was a high mortality rate in patients admitted as emergencies. A Healthcare Commission report criticised the trust’s management, detailing the appalling conditions and inadequacies at the hospital.

The Francis Inquiry looked at the reasons why NHS staff would not make trusts aware of problems that could threaten patient safety. “There are disturbing reports of what happens to those who do raise concerns,” said the report’s introduction. “Yet failure to speak up can cost lives.”