Leslie Stevens

Dangers from within?: Looking inwards at the role of maladministration as the leading cause of health data breaches in the UK

Despite the continuing rise of data breaches in the United Kingdom’s health sector there remains little evidence or understanding of the key causal factors leading to the misuse of health data and therefore uncertainty remains as to the best means of prevention and mitigation. Furthermore, in light of the forthcoming General Data Protection Regulation, the stakes are higher and pressure will continue to increase for organisations to adopt more robust approaches to information governance. This chapter builds upon the authors’ 2014 report commissioned by the United Kingdom’s Nuffield Council on Bioethics and Wellcome Trust’s Expert Advisory Group on Data Access, which uncovered evidence of harm from the processing of health and biomedical data. One of the review’s key findings was identifying maladministration (characterised as the epitome of poor information governance practices) as the number one cause for data breach incidents. The chapter uses a case study approach to extend the work and provide novel analysis of maladministration and its role as a leading cause of data breaches. Through these analyses we examine the extent of avoidability of such incidents and the crucial role of good governance in the prevention of data breaches. The findings suggest a refocus of attention on insider behaviours is required, as opposed to, but not excluding, the dominant conceptualisations of data misuse characterised by more publicised (and sensationalised) incidents involving third-party hackers.

The Proposed Data Protection Regulation and Its Potential Impact on Social Sciences Research in the UK

This article critically assesses the potential impact of the proposed Data Protection Regulation on the undertaking of social sciences research in the UK, providing practical analysis from the perspective of research involving administrative data. This assessment reveals how changes to the key concepts of anonymisation, personal data and lawfulness may impact upon social sciences research. The approach taken to the regulation of personal versus anonymised data in the proposed Regulation represents a disproportionate and de-contextualised response to the risks involved in undertaking social sciences research that may create disincentives for investing in privacy protective mechanisms. It is positive that there is explicit recognition of research as a legitimate form of data processing. However, negative implications will arise from the introduction of pseudonymous data as a subset of personal data, without proportionate consideration of varying processing contexts and factors surrounding de-identification and specifically, the strict security measures taken to prohibit deidentification in the research context.

The other side of the coin: harm due to the non-use of health-related data

ABSTRACTObjectivesIt is widely acknowledged that breaches and misuses of health-related data can have serious implications and consequently they often carry penalties. However, harm due to the omission of health data usage, or data non use, is a subject that lacks attention. A better understanding of this other side of the coin is required before it can be addressed effectively. ApproachThis article uses an international case study approach to explore why data non use is difficult to ascertain, the sources and types of health-related data non-use, its implications for citizens and society and some of the reasons it occurs. It does this by focussing on issues with clinical care records, research data and governance frameworks and associated examples of non-use. ResultsThe non-use of health-related data is a complex issue with multiple sources and reasons contributing to it. Instances of data non-use can be associated with harm, but taken together they describe a trail of data non-use, and this may complicate and compound its impacts. Actual evidence of data non-use is sparse and harm due to data non use is difficult to prove. But although it can be nebulous, it is a real problem with largely unquantifiable consequences. There is ample indirect evidence that health data non-use is implicated in the deaths of many thousands of people and potentially £billions in financial burdens to societies.ConclusionThe most effective initiatives to address specific contexts of data non-use will be those that are cognisant of the multiple aspects to this complex issue, in order to move towards socially responsible reuse of data becoming the norm to save lives and resources.