Should organisations share data breach information?
Updated: Feb 24
An interesting question put to two commercial CEO’s, which is a question of some relevance for the NHS.
One of the challenges I believe many organisations face is the fact that if they do anything to improve Information Governance capability, the process of doing so invariably exposes issues that have previously gone un-noticed or worse, ignored.
The NHS policy currently states that anything constituting a breach above a certain level, must be disclosed as a Serious Untoward Incident (SUI), which is then made publicly available through Strategic Health Authority (SHA) websites.
Ironically a consequence of being forced to publish information in SUI’s creates a fairly significant disincentive for organisations to take positive action, in particular in regard to investment in technologies that help improve compliance capability.
I wrote to the NHS Information Governance team at NHS Connecting for Health expressing this concern and ask whether organisations could be granted a SUI publication amnesty for a short defined period, providing consequently time to put compliance technology into service. Despite chasing I unfortunately didn’t manage to secure any response from them on this idea.
As it is the SUI process is somewhat flawed, in that it is open to a wide range of interpretation, you only have to look at what has been published previously on SUI incidents to see that this is not a satisfactory process as it stands.
I am a supporter of greater transparency and openness in healthcare, but I think it has to be acknowledged that transparency and openness can sometimes be a problem, rather than a cure. Especially when the standard for what should be published is interpreted so differently.