Information governance and the Information Commissioner's expectations

Clarity as to the expectations of the Information Commissioner in relation to data governance can be gleaned by practitioners from the reprimands issued by his office to both private companies and public authorities.

On 7 March 2023, a reprimand was issued against University Hospitals Bristol and Weston NHS Foundation Trust. The Trust lost patient records on the expiry of the Trust’s licence to use an electronic document viewing system. While the Trust had attempted to download all records from the system prior to licence expiry, the download was incomplete meaning that certain patient records were inaccessible.

The Information Commissioner’s Office (ICO) found that the Trust had failed to ensure an appropriate level of security of personal data, resulting in the inaccessibility of personal data relating to 1159 data subjects for a period of almost two years. Following discovery of the issue, the Trust sought to recover the data, but was unable to recover parts of the lost records. The incident resulted in actual detriment to the care of affected patients, with potential for further impacts in the future.

The Trust has since improved its Information Asset Management policy. Such policies, which deal with the erasure, destruction, and other removal of information from an organisation’s systems are often undeveloped. People are forward-looking and tend to focus on new and innovative systems and ways of working, rather than the management of legacy programmes and archives.

The ICO’s expectations for Information Asset Management policies include:

• A decommissioning policy should exist, be implemented and circulated to all relevant staff.
• The decommissioning policy should include a requirement to complete an adequate risk assessment prior to decommissioning a system or allowing a licence to expire.
• The decommissioning policy should include a requirement to review any extract of data to ensure that it is complete and accurate before any system is decommissioned or a licence is allowed to expire.
• The decommissioning policy should allow for any discrepancies that are found to trigger an immediate risk assessment and investigation.
• The decommissioning policy should allow for any discrepancies that are found to be resolved before any system is decommissioned or a licence is allowed to expire.

The ICO also expects that any new or updated policies or procedures will be regularly circulated to staff, and that all case management systems will be regularly risk assessed.

Technology enables the collection, use and control of large datasets, but brings with it regulatory, operational, and reputational risks. Maintaining a sufficient understanding of older systems, including ensuring that your workforce has the skills to manage them is a key part of overall information governance.