Skip to main content
SpringerLink
Log in

Dangers from Within? Looking Inwards at the Role of Maladministration as the Leading Cause of Health Data Breaches in the UK

  • Chapter
Data Protection and Privacy: (In)visibilities and Infrastructures

Part of the book series: Law, Governance and Technology Series ((ISDP,volume 36))

Abstract

Despite the continuing rise of data breaches in the United Kingdom’s health sector there remains little evidence or understanding of the key causal factors leading to the misuse of health data and therefore uncertainty remains as to the best means of prevention and mitigation. Furthermore, in light of the forthcoming General Data Protection Regulation, the stakes are higher and pressure will continue to increase for organisations to adopt more robust approaches to information governance. This chapter builds upon the authors’ 2014 report commissioned by the United Kingdom’s Nuffield Council on Bioethics and Wellcome Trust’s Expert Advisory Group on Data Access, which uncovered evidence of harm from the processing of health and biomedical data. One of the review’s key findings was identifying maladministration (characterised as the epitome of poor information governance practices) as the number one cause for data breach incidents. The chapter uses a case study approach to extend the work and provide novel analysis of maladministration and its role as a leading cause of data breaches. Through these analyses we examine the extent of avoidability of such incidents and the crucial role of good governance in the prevention of data breaches. The findings suggest a refocus of attention on insider behaviours is required, as opposed to, but not excluding, the dominant conceptualisations of data misuse characterised by more publicised (and sensationalised) incidents involving third-party hackers.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 149.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 199.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    All websites were accessed on March 24, 2016.

    Alex Matthews-King, “GPs Prepare to Contact Patients Individually as Care.data Is Relaunched in Some Areas,” Pulse, June 15, 2015, http://www.pulsetoday.co.uk/your-practice/practice-topics/it/gps-prepare-to-contact-patients-individually-as-caredata-is-relaunched-in-some-areas/20010215.article#.VX768RNViko; Pam Carter, Graeme T Laurie, and Mary Dixon-Woods, “The Social Licence for Research: Why Care.data Ran into Trouble,” Journal of Medical Ethics, January 23, 2015, doi:10.1136/medethics-2014-102,374; Chris Pounder, “Proposals to Expand Central NHS Register Creates a National Population Register and Significant Data Protection/privacy Risks,” Hawktalk http://amberhawk.typepad.com/amberhawk/2015/01/proposals-to-expand-central-nhs-register-creates-a-national-population-register-and-significant-data.html; Ken Macdonald, “Consultation on Proposed Amendments to the NHS Central Register (Scotland) Regulations 2006 - ICO Response,” February 25, 2015, https://ico.org.uk/media/about-the-ico/consultation-responses/2015/1043385/ico-response-nhs-central-register-20150225.pdf.

  2. 2.

    With the Data Protection (Monetary Penalties) Order 2010, the ICO could levy ‘monetary penalties’ on data controllers for serious contraventions of any data protection principles under the Data Protection Act 1998 (‘DPA’). ICO, “[ARCHIVED CONTENT] Data Security Incident Trends,” October 19, 2015, http://webarchive.nationalarchives.gov.uk/20150423125423/https://ico.org.uk/action-weve-taken/data-security-incident-trends/; ICO, “Data Breach Trends,” December 22, 2015, https://ico.org.uk/action-weve-taken/data-breach-trends/; ICO, “Data Protection Act 1998: Information Commissioner’s Guidance about the Issue of Monetary Penalties Prepared and Issued under Section 55C (1) of the Data Protection Act 1998,” December 2015, https://ico.org.uk/media/for-organisations/documents/1043720/ico-guidance-on-monetary-penalties.pdf.

  3. 3.

    As of January 2016, 11 health organisations were served with monetary penalty notices by the ICO, relating to data breaches between 2012 and 2015 in an amount totalling more than £1.43 million. This includes one ‘Health & Retail and Manufacture’ organisation called Pharmacy 2 U Limited, an online pharmacy which sold more than 20,000 customers data to marketing companies without their consent. See: ICO, “Civil Monetary Penalties Issued,” 2016, https://ico.org.uk/media/action-weve-taken/csvs/1042752/civil-monetary-penalties.csv.

  4. 4.

    Ponemon Institute, “2015 Cost of Data Breach Study: Global Analysis,” 2015, 2, http://www-03.ibm.com/security/data-breach/.

  5. 5.

    ICO, “Data Breach Trends.”

  6. 6.

    A reference to ongoing debates over the sufficiency of anonymisation: Paul Ohm, “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization,” UCLA Law Review 57 (2009): 1701–77; Arvind Narayanan and Vitaly Shmatikov, “De-Anonymizing Social Networks,” in 30th IEEE Symposium on Security & Privacy, 2009, https://www.cs.utexas.edu/~shmat/shmat_oak09.pdf; Paul M. Schwartz and Daniel J. Solove, “The PII Problem: Privacy and a New Concept of Personally Identifiable Information,” New York University Law Review 86, no. 6 (2011): 1814–94; Melissa Gymrek et al., “Identifying Personal Genomes by Surname Inference,” Science 339, no. 6117 (January 18, 2013): 321–24, doi:10.1126/science.1229566; Latanya Sweeney and Ji Su Yoo, “De-Anonymizing South Korean Resident Registration Numbers Shared in Prescription Data,” Technology Science, September 29, 2015, http://techscience.org/a/2015092901.

  7. 7.

    Defined according to the terms of reference in our report. Graeme Laurie et al., “A Review of Evidence Relating to Harm Resulting from Uses of Health and Biomedical Data” (Nuffield Council on Bioethics and Wellcome Trust Expert Advisory Group on Data Access, February 3, 2015), 30, http://nuffieldbioethics.org/project/biological-health-data/evidence-gathering/.

  8. 8.

    Throughout this chapter references to ‘data’ are done so with this working definition in mind. Ibid.

  9. 9.

    For example, health and various demographic data are sought for research facilitated by the UK’s Administrative Data Research Network and similarly under the Farr Institute. Administrative Data Research Network, “About Us,” 2015, http://adrn.ac.uk/about; “About the Farr Institute,” Farr Institute, 2015, http://www.farrinstitute.org/.

  10. 10.

    The UK’s ICO identifies particular incidents, such as loss of paper files, data being posted or faxed to the wrong recipient, as key areas of concern for the health sector. These incidents were identified and categorised under ‘maladministration’ in the authors’ evidence review. ICO, “Data Breach Trends.”

  11. 11.

    We reference here ongoing research, guidelines and best practice models of good governance of health data within the UK. Department of Health, “Research Governance Framework for Health and Social Care: Second Edition,” April 24, 2005, http://www.dh.gov.uk/prod_consum_dh/groups/dh_digitalassets/@dh/@en/documents/digitalasset/dh_4122427.pdf; Information Governance Working Group The Scottish Health Informatics Programme, “SHIP Guiding Principles and Best Practices,” October 22, 2010, http://www.scot-ship.ac.uk/sites/default/files/Reports/Guiding_Principles_and_Best_Practices_221010.pdf; The Scottish Health Informatics Programme, “A Blueprint for Health Records Research in Scotland,” July 10, 2012, http://www.scot-ship.ac.uk/sites/default/files/Reports/SHIP_BLUEPRINT_DOCUMENT_final_100712.pdf; The Scottish Government, “Joined-Up Data For Better Decisions: Guiding Principles For Data Linkage,” November 6, 2012, http://www.scotland.gov.uk/Resource/0040/00407739.pdf; Nayha Sethi and Graeme T. Laurie, “Delivering Proportionate Governance in the Era of eHealth: Making Linkage and Privacy Work Together,” Medical Law International 13, no. 2–3 (June 1, 2013): 168–204, doi:10.1177/0968533213508974; NHS Wales Informatics Service, “Information Governance,” 2015, http://www.wales.nhs.uk/nwis/page/52618; Swansea University, “SAIL - The Secure Anonymised Information Linkage Databank,” 2015, http://www.saildatabank.com/; Swansea University, “SAIL DATABANK - Publications,” 2015, http://www.saildatabank.com/data-dictionary/publications.

  12. 12.

    The full report is available on the NCOB website.

  13. 13.

    “Mason Institute, University of Edinburgh,” http://masoninstitute.org/; “Administrative Data Research Centre Scotland,” n.d., http://adrn.ac.uk/centres/scotland; “About Farr Institute @ Scotland,” http://www.farrinstitute.org/centre/Scotland/3_About.html.

  14. 14.

    “About Farr Institute @ CIPHER,” http://www.farrinstitute.org/centre/CIPHER/34_About.html.

  15. 15.

    Details on search methodology: Laurie et al., “A Review of Evidence Relating to Harm Resulting from Uses of Health and Biomedical Data,” 52–57.

  16. 16.

    A topic explored in a publication devoted to the idea of non-use and the potential impacts of known failures to use data when it may have been in the public interest to do so. Kerina Jones et al., ‘The other side of the coin: Harm due to the non-use of health-related data’ (2016) International Journal of Medical Informatics 97.

  17. 17.

    Genetic data were considered as a separate category of sensitive personal data, as it is, for example, treated separately from health and biomedical data in the forthcoming General Data Protection Regulation and in relevant literature. See: G. T. Laurie, Genetic Privacy: A Challenge to Medico-Legal Norms (New York: Cambridge University Press, 2002); Mark Taylor, Genetic Data and the Law : A Critical Perspective on Privacy Protection (New York: Cambridge University Press, 2012) “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)” 2016, http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L:2016:119:FULL&from=EN.

  18. 18.

    We distinguished health and biomedical data from ‘human materials’ such as organs, and any associated data, which are regulated within a different context and framework. See: Human Tissue Act 2004; Graeme Laurie, Kathryn Hunter, and Sarah Cunningham-Burley, “Guthrie Cards in Scotland: Ethical, Legal and Social Issues” (The Scottish Government, 2013), http://www.scotland.gov.uk/Resource/0044/00441799.pdf; Graeme Laurie and Shawn Harmon, “Through the Thicket and Across the Divide: Successfully Navigating the Regulatory Landscape in Life Sciences Research,” University of Edinburgh, Research Paper Series 2013/30 (n.d.), http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2302568.

  19. 19.

    On our broader conceptualisation of harm, importantly as including ‘impact’ to individuals: Laurie et al., “A Review of Evidence Relating to Harm Resulting from Uses of Health and Biomedical Data,” 41–46.

  20. 20.

    The first nine examples: HC Deb 18 October 1966, vol 734, col. 50.

  21. 21.

    The rest of this list was later added by: “Parliamentary Commissioner for Administration. Third Report - Session 1993–94. Annual Report for 1993,” House of Common Papers, 1993.

  22. 22.

    European Ombudsman, “What Is Maladministration?,” n.d., http://www.ombudsman.europa.eu/atyourservice/couldhehelpyou.faces.

  23. 23.

    The ICO routinely identifies the following categories of data breach types in their quarterly data breach trend report: loss or theft of paperwork; data posted or faxed to an incorrect recipient; data sent by email to an incorrect recipient; insecure webpages (including hacking); loss or theft of unencrypted device. Furthermore, in their Q2 2015 report, the ICO considers increased media attention to data protection issues and the pressure felt by organisations regarding the forthcoming GDPR (and soon to be mandatory data breach reporting scheme) as a reason for the increase in reported incidents in sectors other than health (where mandatory reporting is already required). ICO, “Data Breach Trends.”

  24. 24.

    Compare the ICO data breach categorisation by type (Note 23 above) compared to the broader range we identified from the evidence, which adds: fabrication/falsification of data, non-secure disposal of data, unauthorised retention and non-use.

  25. 25.

    Including 50 incidents from the hard evidence, 52 in the social media strand and 59 identified in the soft evidence strand. The adjusted total of 153 incidents accounts for eight cases of overlap across the three strands of evidence. See: Laurie et al., “A Review of Evidence Relating to Harm Resulting from Uses of Health and Biomedical Data,” 166–200.

  26. 26.

    For example, consider that more than half of the most ‘infamous’ reported data breach incidents in the UK involve hackers and incidents involving intentional abuse of data which must be contrasted to our findings where data incidents involving non-intentional behaviours were far more prevalent. John E Dunn, “The UK’s 11 Most Infamous Data Breaches 2015,” Techworld, October 30, 2015, http://www.techworld.com/security/uks-11-most-infamous-data-breaches-2015-3604586/.

  27. 27.

    The Information Commissioner’s Office, “Anonymisation: Managing Data Protection Risk Code of Practice,” November 20, 2012, 22–23, https://ico.org.uk/media/1061/anonymisation-code.pdf; Roland Moore-Colyer, “Hackers Will Target Online NHS Medical Data, Warns ICO,” February 10, 2015, http://www.v3.co.uk/v3-uk/news/2394660/hackers-will-target-online-nhs-medical-data-warns-ico.

  28. 28.

    The social media strand of the review, conducted on Twitter, identified twenty cases of data theft. Eighteen occurred in the US. Only one occurred in the UK (and one in Zambia). This is in contrast to the overall findings of the report where negligent behaviour was found to be the primary abuse type. See: Laurie et al., “A Review of Evidence Relating to Harm Resulting from Uses of Health and Biomedical Data,” 88–89.

  29. 29.

    Ibid., 67.

  30. 30.

    Ibid., 77–78.

  31. 31.

    Ibid., 176, 179, Incident No. EUC6 and EUC11.

  32. 32.

    Ibid., 170, Incident No. ICOP3.

  33. 33.

    Ibid., 173, Incident No. ICOM10 and G10.

  34. 34.

    Ibid., 174, Incident No. ICOM14.

  35. 35.

    Ibid., 195, Incident No. News16.

  36. 36.

    Ibid., 66. Incident No. ICOM13, ICOM3/G07, TW25/B4, TW38, ICOM12.

  37. 37.

    Not least because of the varied level of detail available on each incident and across evidence strands. For example, in the soft evidence (i.e. when examining the grey literature, such as newspapers), the information was often less specific than in the hard evidence (which focused on legal court cases and ICO regulatory reporting). Common sense indicated the interdependency of causal factors, such as between human error and maladministration, but based on the methodology, one category was chosen as opposed to two or more. Ibid., 20, 113.

  38. 38.

    Incident No. Inc39-E18.

  39. 39.

    Incident No. ICOM2.

  40. 40.

    Again, the categories devised for the review were sometimes quite specific, but also quite broad. A case in point is the category ‘maladministration’. Particularly in the soft evidence strand, there was insufficient evidence to break incidents around maladministration down further (e.g. failure to consider the risks or potential problems, failure to develop suitable systems and procedures). Simultaneously, if we had employed further sub-categories, then many cells in the typology tables would have been empty. This would have implications for the inferences we could make.

  41. 41.

    We identified 85 counts of maladministration and 23 counts of human error, for a total of 108 which is adjusted by 8 for overlapping reporting of incidents across the evidence strands.

  42. 42.

    For example: Department of Health, “Report on the Review of Patient-Identifiable Information,” 1997, http://webarchive.nationalarchives.gov.uk/+/www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationspolicyandGuidance/DH_4068403; Department of Health, “Information: To Share or Not to Share? The Information Governance Review,” March 2013, https://www.gov.uk/government/publications/the-information-governance-review.

  43. 43.

    Incident No. ICOM4 and TW23.

  44. 44.

    ICO, “Monetary Penalty Notice: North Staffordshire Combined Healthcare NHS Trust,” June 11, 2013, 2, http://webarchive.nationalarchives.gov.uk/20140603223034/http://ico.org.uk/youth/sitecore/content/Home/news/latest_news/2013/~/media/documents/library/Data_Protection/Notices/north-staffordshire-combined-healthcare-nhs-trust-monetary-penalty-notice.ashx.

  45. 45.

    Ibid., 2–3.

  46. 46.

    Ibid., 4–5.

  47. 47.

    Ibid., 5.

  48. 48.

    Laurie et al., “A Review of Evidence Relating to Harm Resulting from Uses of Health and Biomedical Data,” 114–115. See also: “Fax Blunder Leads to £55,000 Penalty for Staffordshire Trust,” ICO, (June 13, 2013), https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2013/06/fax-blunder-leads-to-55-000-penalty-for-staffordshire-trust/.

  49. 49.

    Incident No. ICOM13 and news18.

  50. 50.

    Charlier Cooper, “Thousands of Patients at Risk from NHS Outsourcing,” The Independent, http://www.independent.co.uk/life-style/health-and-families/health-news/thousands-of-patients-at-risk-from-nhs-outsourcing-9799937.html; Centre for Health and the Public Interest, “The Contracting NHS – Can the NHS Handle the Outsourcing of Clinical Services?,” http://chpi.org.uk/wp-content/uploads/2015/04/CHPI-ContractingNHS-Mar-final.pdf; Gill Plimmer, “NHS Brings to a Halt Two Years of ‘exuberant’ Outsourcing Growth,” FT.com , September 28, 2015, http://www.ft.com/cms/s/0/92059d56-6361-11e5-a28b-50226830d644.html#axzz3z28UbghL.

  51. 51.

    This references facts reported by the ICO: “Brighton and Sussex University Hospitals NHS Trust Breach Watch,” Breach Watch, 2012, http://breachwatch.com/2012/06/01/brighton-and-sussex-university-hospitals-nhs-trust/; ICO, “Monetary Penalty Notice: Brighton and Sussex University Hospitals NHS Foundation Trust,” June 11, 2013, http://webarchive.nationalarchives.gov.uk/20140603223034/http://ico.org.uk/youth/sitecore/content/Home/enforcement/~/media/documents/library/Data_Protection/Notices/bsuh_monetary_penalty_notice.ashx.

  52. 52.

    ICO, “Monetary Penalty Notice: Brighton and Sussex University Hospitals NHS Foundation Trust,” 3.

  53. 53.

    In reference to Incident No. ICOM8.

  54. 54.

    ICO, “Monetary Penalty Notice: Devon County Council,” December 10, 2012, 5, http://webarchive.nationalarchives.gov.uk/20140603223034/http://ico.org.uk/youth/sitecore/content/Home/enforcement/~/media/documents/library/Data_Protection/Notices/devon_county_council_monetary_penalty_notice.ashx.

  55. 55.

    Incident No. TW29.

  56. 56.

    The University of Mississippi Medical Center Division of Public Affairs, “UMMC Administration Notifies Patients of Breach of Protected Health and Personal Information,” March 21, 2013, https://www.umc.edu/uploadedFiles/UMCedu/Content/Administration/Institutional_Advancement/Public_Affairs/News_and_Publications/Press_Releases/2013/2013-03-21/NR_Notice_Breach_Patient_Info_3_21_13.pdf; “Healthcare Data Breach Hits University of Mississippi Medical Center,” n.d., http://www.databreachwatch.org/healthcare-data-breach-hits-university-of-mississippi-medical-center/; “Chronology of Data Breaches Security Breaches 2005 - Present,” Privacy Rights Clearinghouse, 2016, http://www.privacyrights.org/sites/privacyrights.org/files/static/Chronology-of-Data-Breaches_-_Privacy-Rights-Clearinghouse.pdf.

  57. 57.

    For example: “Remote Access: Flexible Working Made Simple,” N3 Connecting Healthcare, 2016, http://n3.nhs.uk/n3cloudconnect/ConnectAnywhere(remote).cfm.

  58. 58.

    “Western Health & Social Care Trust,” ICO, July 15, 2015, https://ico.org.uk/action-weve-taken/enforcement/western-health-social-care-trust/.

  59. 59.

    “South West Yorkshire Partnership NHS Foundation Trust,” ICO, June 3, 2015, https://ico.org.uk/action-weve-taken/enforcement/south-west-yorkshire-partnership-nhs-foundation-trust/.

  60. 60.

    “Northumbria Health Care NHS Foundation,” ICO, May 11, 2015, https://ico.org.uk/action-weve-taken/enforcement/northumbria-health-care-nhs-foundation/.

  61. 61.

    The final text of the GPDR was agreed on 15 December 2015 and is to be implemented by Member States 25 May 2018.

  62. 62.

    For example, note the drastic increase in administrative fines with the potential for €10-20 M or 2–4% of worldwide turnover to be levied depending on the nature of the infringement. GDPR, Art 83.

Bibliography

Download references

Author information

Authors and Affiliations

  1. Mason Institute, University of Edinburgh School of Law, Old College, South Bridge, Edinburgh, EH8 9YL, UK

    Leslie Stevens & Graeme Laurie

  2. GENCAS, Swansea University, Keir Hardie Building, Singleton Park, Swansea, SA2 8PP, UK

    Christine Dobbs

  3. Swansea University Medical School, Singleton Park, Swansea, SA2 8PP, Wales, UK

    Kerina Jones

Authors
  1. Leslie Stevens
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christine Dobbs
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Kerina Jones
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Graeme Laurie
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Leslie Stevens .

Editor information

Editors and Affiliations

  1. Tilburg Institute for Law, Technology, & Society, Tilburg University, Tilburg, The Netherlands

    Ronald Leenes

  2. Law, Science, Technology, & Society (LSTS), Vrije Universiteit Brussel (VUB), Brussels, Belgium

    Rosamunde van Brakel , Serge Gutwirth  & Paul De Hert ,  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this chapter

Cite this chapter

Stevens, L., Dobbs, C., Jones, K., Laurie, G. (2017). Dangers from Within? Looking Inwards at the Role of Maladministration as the Leading Cause of Health Data Breaches in the UK. In: Leenes, R., van Brakel, R., Gutwirth, S., De Hert, P. (eds) Data Protection and Privacy: (In)visibilities and Infrastructures. Law, Governance and Technology Series(), vol 36. Springer, Cham. https://doi.org/10.1007/978-3-319-50796-5_8

Download citation

Publish with us

Policies and ethics

Search

Navigation