Lessons from a Disastrous Data Loss in the UK

Posted by Lygeia Ricciardi on December 5, 2007

As we Americans basted our turkeys and mashed our Thanksgiving potatoes, a disastrous data drama was playing out in the UK. Although it doesn’t involve health information specifically, there are several lessons the American or international health IT community can take from it—in addition to giving thanks that we were not involved.

The mishap concerns the loss of several discs containing information related to the administration of government benefits for children—personal details on every family in the UK with a child under the age of 16. That translates into information on 25 million UK citizens, including names, addresses, dates of birth, national insurance numbers, and bank details. The discs were lost in an attempted transfer between two government agencies, Her Majesty’s Revenue and Customs (HMRC) and the National Audit Office (NAO).

As is often the case, the loss involved a combination of high tech elements (eight CDs) and old fashioned sloppiness—the disks apparently “went missing in the post,” as the Brits put it. Ooops. And now, according a poll described in the (British) Times, 73% of British citizens have lost confidence in their government’s ability to handle confidential data, and 64% claim the blunder calls into question “the basic competence of the Government”.

The problem stems, of course, not only from the initial mistake, but also from poor handling of it. The reality is that mistakes happen, whether in a paper-based or digital context—but we must learn to diminish their number and address their repercussions more skillfully than our friends across the pond have. A couple of key lessons we can take from their experience:

Share only data that is necessary for a particular task.  The intended recipients of the data needed records from only 1500 people, not 25 million, and did not need financial data at all. But 25 million peoples’ financial and other data may be compromised simply because the HMRC neglected to extract a subset of it. According to the BBC, the practice by HMRC of downloading the entire Child Benefit database to share with the NAO for auditing purposes, regardless of what portion was actually needed, began last March, but was made public only in November following investigation related to the lost discs. An email from an official at the HMRC to the NAO around the time the discs were mailed explains, “I must stress we must make use of the data we hold and not over burden the business by asking them to run additional data scans/filters that may incur a cost to the department”. In this case an ounce of prevention would have been worth quite a few pounds sterling of cure.

Technology should follow policy. The point above leads to a bigger one: technologies—whether applications, such as PHRs, or entire network systems—must be designed to support desirable policies or behaviors and discourage undesirable ones. If it had been easier for an HMRC official to download just a few key elements than an entire database, the current mishap could have been much less damaging. The idea that technical design decisions must support policy goals are at the core of the Markle Foundation’s Common Framework, which proposes guidelines to inform the development of regional and other networks for health information sharing. According to the Markle framework, health information should be stored in a decentralized configuration to minimize the use and abuse of large repositories of data like the UK’s Child Benefits database. In practice that means that patients’ medical records should be controlled by the doctors, patients, or others who create them, not the government or a RHIO.

When you make a mistake, own up to it. There’s nothing unique to IT about this point. Prime Minister Gordon Brown, however, claims the fault for this error rests primarily with “officials not following the rules rather than ‘systemic’ failures at HMRC”. Meanwhile the HMRC Chairman resigned on November 20^th, and a 23-year-old HMRC junior official is being suspended pending disciplinary action. The government is telling citizens potentially affected by the data loss to watch their bank accounts for any “irregular activity,” but the government hasn’t fully taken responsibility for the mistake or sufficient action to counter the widespread public concern it has caused.

The UK data blunder serves as a reminder that you cannot (especially in a health context) be too careful in protecting peoples’ privacy or in gaining and maintaining their trust. Readers of this blog who develop PHRs or related services should strive not just for elegant technical solutions, but for systems that make it easy for users to minimize risks.

One other thing—lest we get too high on our American horse, the US certainly has a lot to learn from the UK and its European neighbors concerning data protection. There are open questions about whether the blunder described above actually broke any data protection laws. Regardless, the UK and EU have much better legal frameworks to build on in this area than the US does, and our policymakers would do well to emulate them in some measure.

For deeper discussions of privacy and its implications in the PHR context, keep an eye out for an electronic primer on privacy to be released by Project HealthDesign later this month—subscribers to the PHD listserv or this blog’s feed will get an email alert when it becomes available.