Information governance and data security in mental health services

Law and practice Other
1

I hope this is something that will be allowed for discussion. I’ll give my own anonymised experience in a bit.

Data security is the business of HMCTS big time as per ‘Tribunals’. All judicial officers are warned repeatedly about the issues. All staff working in mental health services are regularly given mandatory training.

Data sharing is required for cohesive mental health care - as highlighted in the Nottingham inquiry. Nonetheless, data security is inescapably integral to mental health services.

The first big issue is that ‘people’ in mental health services are madly emailing other people at unsecure email addresses, with information that would breach several parts of UK GDPR. How do I know? And madly? I’ve seen it repeatedly over the years, with my own eyes. Yes - that’s my knowledge and experience - not everybody’s.

On one occasion a ward ‘admin’ did it - sent emails to relatives with full PID in an email (unencrypted). I had a quiet and polite word and thought that was the end of it. But no, he accosted me in my office a day later - him shaking with anger - to tell me like it is, that it’s not my place to inform him of the issue - because that’s what he had always done and nobody ever raised a concern.

The long and short of it, is that the conversation went the wrong way and I had to put in a complaint, which was swiftly upheld.

But you may have missed it in the above - that despite all the IG mandatory training for everybody, people do what traditions dictate.

So - it happened again in the last few days. As an independent S12 doctor for MHA assessments I had to put an email address on the forms. I don’t have an nhs.net email address or similar. I put an alias address at hushmail. The next thing I know is that I receive 4 emails from various parties one in Social Services and three from NHS persons. One appeared to be asking for advice on medications and risk management. The next from the other S12 doctor giving advice, and then two updates on where the patient was admitted (hospital and ward). The patient’s full name was in the subject field. The matter has been referred for investigation. [Nothing in the above identifies a patient or a Trust]

Everybody ought to know - or should know that - you simply do not email PID ‘externally’ unless contained in a properly encrypted email. That means content and attachments must be locked with a complex password that cannot be hacked by a Xieve attack in under 3 million years.

Am I alone in the above?

2

Hi Russell,

You are not alone - sadly, there are multiple reasons why this happens.

The ICO has issued a guide in respect of what to do when this occurs Personal data breaches: a guide | ICO

Kind regards

Sara

3

Of course, and each reason has a ‘cause’ of some sort lurking. One can spend a lifetime digging into all that - what a waste of life that would be.

The prime reason why ‘this happens’ is that it’s not personally important enough to individuals. If one knew that a PID breach by unsecured email was at a threshold of immediate dismissal, I dare say that would be personally important. But that’ll remain a hypothetical. Nobody is actually checking on these things, though IT systems can easily spot emails sent to non-secure addresses - in a few lines of code. And now we have AI systems to do that sort of thing very easily.

So the root cause is at the ‘top’ - and then one has to look above the top.

But wait - everybody values the confidentiality of their personal records. Nobody wants to know that their name and recently diagnosed vaginal abscess are on parade on the internet because some fool did the wrong thing with an email that was hacked in transit. Would it be any different for newly diagnosed psychosis? I hope not. So that brings me back to why people would treat other people’s personal data with such scant regard. It’s this simple: because they can get away with it, or maybe get off with a slight slap on the wrist.

What about all the chuntering about ‘rights’, ‘respect’ and ‘dignity’ - just nice buzz words perhaps. It’s the grand hypocrisy of our times. Poor people of very basic means often lacking in intellectual fortitude, are treated as if ‘unworthy’ - that’s how I perceive it.

I’ll pause there. I had not seen that guide prior to you linking it. Thank you very much. It will form part of my arsenal to be incorporated and referenced in my ‘standard template’. Useful for when for those occasions when I go into ‘War Mode’, to fight for what is right.