All posts tagged Information Governance

Whose data is it…

Biden Vs Faulkner, whose data is it any way.


Having a common enemy, a common ‘bad guy’ will always help a cause. A figurehead to rally against is one of the best motivators for the creation of a movement. Maybe in the last few weeks the Biden vs Faulkner showdown will be the catalyst for a new lease of life for the patient data movement. If the reports are true the Chief Executive of Epic; the Digital Health multinational may have ignited a new enthusiasm for patient data openness, by challenging Joe Bidden as to why on earth a patient would want access to their own data.

The conversation is said to have gone like this; Faulkner was amongst a group of healthcare executives gathered together to discuss with Biden the Cancer Moon-shot. The internet based magazine Politico reported that Faulkner raised questions about the utility of patients being given access to their own health records in a digital format.

“Why do you want your medical records? They’re a thousand pages of which you will understand 10,” she allegedly told Biden.

“None of your business why, I, the patient want access to my information,” Biden is said to have responded. “If I need to, I’ll find someone to explain them to me and, by the way, I will understand a whole lot more than you think I do!”

The culture of digital health organisations in the UK and Ireland has changed over the last decade so substantially that Faulkner’s comments sent many of us into shock. I distinctly remember arriving in Ireland and in 2014 and being asked to take part in a patient advocacy roundtable. At this event the gentleman who represented the Parkinson’s patients of Ireland towered over me and demanded that I, “… stop pussy footing around and get my data shared if it means that a cure can be found for this god-awful disease!” His premise was that if I didn’t he would and he wanted his information now, on a memory stick so that he could give it to an academic.

In the US we are told that the way the patient portal payment structure was created for meaningful use means that vendors were paid on a ‘log in attempt’ basis, this meant it was in the vendors interest to lodge a member of staff in waiting rooms and ‘help’ patients log in to their records, just the once. Pretty much taking the meaning of the phrase meaningful use and throwing it away.

We can also think back to the National Programme for IT in the UK and its version of patient access, HealthSpace, I can place a clear reason why that didn’t take off too, it was so very very hard to authenticate yourself before you could use the service. It required to visit a library with three forms of ID, to receive a letter with a PIN and then set up a significant password structure, the drop off rate before people got to view their records was huge, and understandably so. And yet here we are in 2017 with a new start up bank, N26, who have the technology to allow you to authenticate who you are with a camera on a mobile phone, from the safety of your own bedroom you can have a bank account up and running in eight minutes! Technology moves quickly and really does allow us to implement the digital health dreams we have.    

So there are a few technology examples of Faulkner being right, well at least the technology not facilitating her being wrong! But, now glance over to Finland and Catalonia two regions that have proven the ideals that Biden has described for patient access to information to not just be the art of the possible but be actually here now, information in the hands of the patient and making a difference to the care being delivered.

The first time I heard the solution that Finland has created to this issue I was in awe; the work is a partnership with Microsoft and shows the innovation and ingenuity of the possible through partnership, clever thinking and a will to put the patient at the centre of what can be done. In Finland the national electronic health record is effectively a set of data that is mirrored to two windows. The first is the clinical EHR, the first place the clinician sees information about their patient, the second window is the patient version of the same, the key difference is the patient can add information to the record via their ‘window’. The patient can add free text or wearable gathered data or home held diagnostic information, the clinician can see this information and decide to add it to the clinical side of the record. The clinical governance of the information is still held with the clinician but the ability is now presented to the clinician for them to value the patient input to the record and move it over to their ‘window’ on the information, thus giving it the clinical validity it deserves.

Suddenly the comment made by Faulkner become even more ludicrous; the patient information is not only about them and owned by them but now has real clinically valid input into the care being prescribed and practiced, let’s not forget that this is the person Faulkner is worried won’t understand the information, they are now an author of some of the information.

The next success story here must be the amazing work that Tic-Salut have done across Catalonia in this area. They have created an eco-system throughout the region that has driven a new type of credibility to the delivery of patient access to information. The proliferation of health apps is huge; in Catalonia the market place for these apps to be released into has been created by the health system itself. An accredited app store for the healthcare system built to allow patients and clinicians to use health apps with confidence. Unique though to Catalonia is the arrangements put in place around the data that these apps can use. If you have an accredited health app one of the conditions is where the data is made available, not just within the app but in a secure, audited and protected way the data can be used within the health care systems own information systems. What Tic-Salut have done here is ensure that the lines between clinical data created by clinicians can be blurred with the data created or collected by the citizen and patient without overloading the clinical team with data, after all data is only useful when it becomes information.  

Then we come to our own projects; in Ireland we have a decade long history of under investment in digital health to first get over to allow patients digital access to information, but, in Epilepsy we are seeing an almost immediate patient impact by having access to information. The patient portal trialled in the delivery of care for patients with Epilepsy has been a huge success for many reasons. First and foremost the portal and its functions have been co-designed by the patients and families themselves, the elements you can do with the portal are exactly what the patient wanted to be able to do. So viewing the clinical note is there as a function that has been seen as being useful but also the new ability to record a seizure, its severity and frequency and type has enabled a new paradigm in the delivery of care.

The ability for a patient to be significantly involved in reviews of medication efficacy through the capture of data has seen around 100 patients come off anti-epilepsy drugs since the portal has been introduced. I have championed digital solutions for the care of epilepsy since coming to Ireland in 2014, largely because of the passion that clinicians and patients, the careers and the special interest groups have shown for what can be done here. I hope that this light house on the art of the possible in Ireland can continue in to 2018.

In Ireland we have a plethora of digital health start-ups and new organisations. The Jinga Life team for me are delivering a solution that is a ‘light at the end of the tunnel’ for what can be done in Ireland. A design unlike any I have seen in healthcare, truly a delight to use and see. The concepts of Jinga Life is to concentrate on the key member of the family who is ‘tasked’ with the care organisation of the family. In their research over 90% of care is managed and organised by the female in the family. The Jinga Life portal allows the family member a tool to organise that care and to provide new data that can become clinical information to the clinician. Part of the success on the build of Jinga Life is its clinical and patient focus, definitely one to watch and one that I hope will show Faulkner yet again how wrong she is.

In the same week that Ireland launches its Open Data portal this data debate rages on, whose data is it anyway? Much can be discussed here but one thing we do know, its not the data of the digital vendors that are out there, and we need to seize back the ability to get at that data. A patient engaged, involved and aware of the information that is used for their care is a patient that can be part of the clinical delivery process, a patient empowered to help themselves.  

Prevention or cure?

At a recent event I was presented with a question from the floor that caused me to think harder than I have before about how we treat people in health who need access to technology to support what they do. The story went something like this:

‘I’m a surgeon in training, a cancer surgeon, a surgeon who will on occasion need to look at the word breast on my internet connection in the hospital, and yet, when I do this I am reported to IT and I have to seek permission, regularly, to be able to search for this word. What can you do to change this?’

So, how do we react to that! The work we are doing in eHealth Ireland has a wonderful focus on turning clinicians into fans of technology and yet in this scenario we treat a clinician, a person in a profession that requires a huge amount of intelligence and common sense, like a child. The history of access to digital health data has taught us to be very careful with it; there are ‘bad people’ out there who want to do bad things with information. However, there are better ways to protect information than simply removing access to it. The concept of prevention or cure and which is better I guess applies as equally to information as it does to the health and wellbeing of patients.

As an organisation, we have in the last twelve months invested in the plumbing to enable digital solutions to be made available to clinicians when they come on line. Through fear though we have then blocked off this plumbing and are stopping clinical staff from making use of what has been done so far, and we need to change this. There is a common analogy used in the delivery of information governance.

                   ‘Why do racing cars have brakes….

         ….. to allow them to go faster!’

The healthcare system in Ireland is starting to invest the time and effort required to give it ‘brakes’ so that it can go faster. However in the interim we need to collectively think through what our starting point is for information governance and identity management.

A key, specific benefit of the eHealth Ireland programme of work is to facilitate the delivery of integrated care throughout the healthcare system; this therefore will require new thinking to evolve on the art of security, identity management and access controls.

What if we looked at the model that has been adopted in a number of European countries whereby access control is monitored by the subject of the record? The public of Lithuania for example have been given the tools to look at their electronic health records and see who has accessed them. They can then personally make a judgement as to whether the clinician had a legitimate reason to access the information. If not then there is a process that swings into action with consequences that are clearly understood by clinician and patients alike.

In Wales a similar tactic has been used, but in the Welsh example the custodian of the access control has a specific resource in each care environment and peer to peer measurement. The shared record clearly identifies the last three accesses to a record therefore allowing a peer to peer belief in the access controls of clinical records.

There are other options. The NHS in the UK has implemented SMART card access to clinical records but still has to have a consent process for patients that many describe as complex. Regardless of the SMART card access the NHS is also required to open up the records and the detail of access to them to the public. In Ireland, we need the consent process for the sharing of clinical records to be as simple and centralised as possible as the delivery of care is dispersed so widely across organisational type and geography. This does make the model that countries like Lithuania have adopted attractive.

Lessons learnt from many countries on the sharing of clinical records alerts us to the fact that we have to get this right from day one. We have to understand what the people of Ireland want and attempt to put a solution in place that allows information to be shared efficiently and safely whilst taking on board the needs of the public. Technology and the information related to it has become a commodity for patients and clinicians alike, however too many healthcare systems have compared the delivery of care to that of booking a flight or internet banking for us to allow that analogy to take hold. We start on this journey knowing we need to consult carefully with the public on what they feel is the best way for this to work and not simply treat health information in the same way as we treat banking information.

Opening up systems as well as data is important. In healthcare we are trying to move to a model where we keep people out of the healthcare system, health and wellbeing being delivered to patients to avoid illness. This is where I would like to get to with the delivery of information governance – that we consider what process we can put in place that allows clinicians to stay safe whilst accessing information they need to provide care to patients, rather than removing access on the chance that they do something wrong.

Delivering identity management is difficult to get right. It is why we will have the Individual Health Identifier and that it is such an important foundation of eHealth in Ireland. We need to be able to manage the identity of patients throughout the system for safety, for governance and for efficiency, on top of delivering a solution that enables integrated clinical care.

The dial tone is an individual identifier. It seemed like such an odd thing for a Microsoft ‘brain’ to say at a recent meeting, but then when you think about it there is so much sense in it. The dial tone you used to hear when you picked up the phone was a noise that identified you, what you were allowed to ring and who you were. This seems like the perfect example of how we have to get identity management right. Like the dial tone, identity management should be there because you are using a digital solution! As we move into the creation of identity services for health this, as a principle goal will be part of what we are trying to do – make it be there as part of the existence of users in the eHealth eco system.

The right to have technology support the care delivery is there. The consumeristation of technology and human right to basic principles like WiFi is starting to be part of the consciousness of patients and public. Knowing this adds even more impetus to us needing to provide solutions to governance and security issues, for example if a patient is in hospital they should have access to WiFi. By simply having access the care they can receive will be improved as they will feel more ‘at home’ in the setting they are in. We have to put in place an understanding of what can be done with that WiFi without tying ourselves up in knots trying to keep it secure.

As we get closer to the release of the Knowledge and Information strategy we have put the themes within this blog at the foundation of what we intend to deliver.

The Analogies Project does RANT

The Analogies Project has made a difference to the way my organisation thinks about Information Governance and Security!

Given the opportunity to be a contributor with an analogy I jumped at the chance. My first one, ‘Why is Information Governance like car insurance?’ was a labour of love. It seemed to make sense straight away. The second analogy to be submitted was regarding how Information Security could be managed in the same way as the Rosetta satellite is by the space agency team, obvious really!

Then something truly different came along. The RANT conference asked the project if a number of contributors would talk about the Analogies Project live on stage, and in a moment of madness a group of us decided to do Analogies live.

So my live analogy, ‘Why is an Information Security expert like an Ibiza bound Superstar DJ?’, went something like this…

  • Creating a set list without knowing the crowd is one of the hardest jobs of the DJ. Putting the sounds together for the evening’s dancing without being able to see the change of the mood of the ‘revellers’. Just like the Information Security professional who is trying hard to develop tools, processes and solutions that an organisation needs its ‘revellers’ to dance to. Elements that provide the organisation with assurance of its security position. A great DJ has an idea of a set list but is able to change that list if the mood changes as the event builds. A successful Information Security professional is able to use the kit approved and built to protect the organisation but also reach out into the wider world and get at new tools as risks change and escalate.
  • Staying ahead of the new sounds is the route to success for a DJ blowing away a crowd in sunny Ibiza. The Information Security manager has to do the equivalent; has to stay up to date with what is new; what the organisation risks are and what new tools are there to be used to protect and assure the organisation. For the DJ they need to stay aware of the latest trend, the latest artist to be remixed by the most note-worthy producer. The Information Security manager needs to be able to be sure that the latest versions of systems, software and risk analysis are in place and being appropriately used by the organisation.
  • Using new technology but staying aware of the warmth of the old is one of the tasks that a modern DJ needs to have. The Information Security expert needs to mirror this skill, ensuring that tools from yesteryear that still provide protection and are loved by the users are applied just as strictly as the new cutting edge technology that delivers different types and levels of protection.
  • The drop of the hottest new song at the right time is the skill of the DJ. To build the crowd in anticipation and then play the introduction of the song or series of songs that the crowd have been waiting for will make so many people’s night. The Information Security manager also has to know when to drop the right solution or piece of analysis. The Information Security manager that drops too soon can be seen as being on the ‘bleeding edge’, taking risks for the opportunity to be ‘in fashion’. If the Information Security Manager drops too late then the organisation has been left at risk to the latest impactful elements.
  • Where to play and where to advertise can make or break a superstar DJ. The Information Security manager needs to be as aware of this concept as the DJ, ensuring that the engagement and the advertisement of ‘how to’ is targeted at the right levels and for the right customers.
  • The superstar DJ wants to create loyal fans of what he does – his art is to use others’ capability in different ways to attract an audience of his own. To me this is the closest comparison to what my organisation is doing in the information security field. Taking best practice and common practice, pulling ideas together and then ensuring that the organisation can adopt them as easily as possible, creating fans of information security throughout the organisation.

Using an analogy means to me that a concept can be made clear to someone who doesn’t have, and doesn’t need to have, a detailed understanding of the background. The Analogies Project brings a concept home to the reader and hopefully makes the understanding easier and in some cases fun.

Imagine Analogies live, five different contributors delivering the ideas they have for Information Security. Analogies included ranged from Van Halen’s rider on tour to the trenches in 1914 to the desire to purchase high-end shoes. With a range this wide there is always something that strikes a chord and gives the listener chance to apply an entirely different view of how to ‘sell’ the concepts of Information Security.

For more analogies to choose from visit the Analogies Project web site where you will have access to the library of previous ideas.

The year that was…

Reviewing the year, something we should all do to reflect on the success and ensure that lessons are learnt from the elements that could be done differently.

It has been a really busy year; a year that we had been promising the team will enable us to be more considered and reflective in the future, although, as we move to the New Year I know the first quarter is at least as busy as 2013 has been.

So, to break down the key elements, I have collated my highlights on a month by month basis, not because these are the biggest achievements, more because they meant the most to me in some way or because they set us up for the next ‘big thing’ in 2014.

January – We left December 2013 with the vast majority of the contract negotiations with Tribal Education complete and some clarity on how were going to go about building the Central Portfolio Management System (CPMS), our new system for managing the portfolio of research across the NHS. January saw us chasing our tails to get the contract signed by the highest authority and the final elements of it agreed, not least of which was the governance subsequently put in place to deliver the system.

In January we also took a road trip to NHS Bristol to see how they have implemented their Local Portfolio Management System (LPMS) to deliver the most clinical benefit. It was on the journey back that the bones of LPMS systems of choice (SoC) were built to ensure that wherever possible the same benefits could be delivered across the entire research network, in a system agnostic manner.

February – The NIHR CRN delivered demonstrations of its Information Systems strategy to the rest of the NIHR and partner academia. The key goal was to provide a ‘show and tell’ to enable the rest of the organisation to try to build on the work done at the NIHR CRN. A lesson learnt from this though was simply showing new ways of working or systems does not drive corporate change; we need to keep addressing this to try to achieve the benefits we think we can across the length of the organisation.

We also were able to complete the design phase for CPMS in February, delivered exactly to the planned date agreed in the contract negotiation stage.

March – A big success for us, with the help of Methods Consulting we were able to submit our NHS Information Governance Toolkit submission for the first time and gain a ‘good’ audit result, one that now sets the bar for all subsequent years and allows us to lead the way in how best practice Information Governance can bring about solid improvement to the research journey.

April – For the first time the Information Managers from across the whole Clinical Research Network came together. Being able to do this in Birmingham at the same time as the HC2013 conference enabled not only a great sharing and learning experience but also an element of team building to begin to be ingrained in the structure. The initial seeds of the virtual Business Intelligence Unit were planted and the solution stage of the Open Data Platform (ODP) and relationship with QlikView started.

May – The Senior Management Team of the Informatics Directorate was in need of some time out to build their vision of how we would deliver the strategy that had been jointly developed. A series of sessions to build the team interactions were put in place, not least of which was the opportunity to do ‘Difficult Questions’ Media training with JRR, an experience that taught the team a great deal when it comes to reacting under pressure and working together to build answers.

May was also the month that I managed to get some time away from the office to put the final touches to our wedding plans on the island of Elvissa.

June – The final drafting of the NIHR-wide Information Strategy was completed and approved by the senior team at Department of Health. The governance was altered to reflect this and the whole NIHR Information group could get behind one direction forward that will bring about the most spectacular advances in how clinical research is done in the NHS.

July – Always the month to get to the music festivals and for the first time in quite a few years the sun was out and festivals could be enjoyed lying back and enjoying the music rather than finding a new way to stay dry! Despite the social side of July it was still a busy month, we appointed maternity cover for our Head of Informatics. The team were also able to go live with the first users of ODP in its very early beta stage, testing the benefit realisation and ease of use of the product in a live environment. The user base however was to ramp up extraordinarily quickly even at this beta stage.

I also started writing this blog!

August – The greatest project of my life came to fruition, getting friends and family all to the white island to be there for our wedding! After a year of preparation and planning all went extremely well with lots of happy faces, smiles and great times had by all. Whilst all this was going on the world continued to turn and innovation in disease specific areas continued to bring about benefits. Stroke research in particular discovered a new solution called Capture Stroke, which delivered remarkable benefit to the end site collecting information on patients involved in trials.

September – A focus on the security strategy we need to have in place was an exciting task for the ninth month of the year. Inspired in some part by the two chapter meetings of the Information Security Forum (ISF) in 2014; the Analogies Project presenting at the earlier one in the year and the September meeting being at the spiritual home of computing, Bletchley Park, gave us some great food for thought and enabled us to build on the work we had completed earlier in the year to work through the NHS IG Tool Kit.

October – The NIHR held its Industry Conference, bringing together heads of research from across many Life Sciences partners. I was lucky to be asked to share the stage with leaders from Industry and our CEO to deliver a presentation on the way in which our Information Strategy was coming together to support each and every partner in the delivery of clinical research in the NHS.

Also scheduled for October was a UKTI-led visit to the States with our CEO. A whistle-stop tour, coast to coast, to show the US-based industry teams what we had done and where we were going. A worthwhile visit that has already seen the development of the Reference Data Service (RDS) move from a supporting solution to that of centre stage as industry partners begin to develop connectors for it.

November – The winter started to arrive, but so much later than normal! An invite to the ISF Congress to present on the security of Open Data was an exciting opportunity. At the time I hadn’t realised I would be following Sir Ranulph Fiennes on stage, nor that I would be quizzed about my thoughts on AOL being exposed through access to open data. However despite this we still had a great amount of interest in the concepts of securely opening up data and how we could do it.

December – The end of the year, normally a time to be a little more considered and schedule the planning for the next year, but not for us this year. The first three months of 2014 are going to be about readiness for new systems and readiness for organisational change. So for Information Systems, team planning for a big bang change of multiple systems as we move from March to April in 2014 was the key task for December. Making sure that everyone knows what they are working on and what the priorities are for each team in the first three months has been key to ensuring that everything is ready for that day when we flick the switch and everything starts to work a little differently.

Summary – It has been the best year I have ever had; every month has brought a different challenge, a different opportunity and new experiences. The challenges have been there all year and we have slowly but surely knocked at each one and started to work out how to deliver against it, and we have still enabled some exciting innovations to happen.

And now we simply look forward to 2014 and all that it offers us, a new name for the team and a chance to continue to make a difference.

Open Data is here so how do we do it securely?

Security and research information is a hot topic right now for a number of reasons, not least the transparency agenda and the desire, quite rightly, to be as open as possible about data relating to the conditions and outcomes of clinical trials. However the information security of research data more generally has always been an area that is difficult to quantify. Go back to the excellent ‘The Cuckoo’s Egg’ by Cliff Stoll and there is debate regarding the perceived value of research data:

“… our data was either worth nothing or zillions of dollars. How much is the structure of an enzyme worth? What’s the value of a high temperature super conductor? The FBI thought in terms of bank embezzlement; we lived in a world of research.”

Clinical research is big business. Nations and companies compete to be first to deliver new drugs and treatments to patents. This means the security of clinical research data is under pressure, particularly when juxtaposed with the transparency agenda and our desire to open data up as much as we can to facilitate improved performance through insight derived from information.

But what is open data? The comedy answer is that it is data that is open!  But it is as simple as that for our organisation and, I believe, for clinical research data generally. We need to transform the power of open data to make it useful. We need to make open data valuable, to do this we need to show the value that open data creates.

Open data, to our organisation is:

“…data that can be made use of by anyone within the organisation through analysis, linkages, and evidence based delivery.” 

So, many will say not really open at all then, as we are limiting access to the detailed elements of information to within the clinical research organisation. But, even that is far more open than we have been able to orchestrate in the past and is a starting point for how we begin to open up appropriate information.

Compared to two years ago we have made great strides forward in our ability to be more transparent. For example, apps to enable the public to see what research is underway in the NHS and systems to enable the life sciences industry to track their study throughout the NHS.

The definition of protecting open data stretches beyond the definition of information security. The easiest way to understand how to protect the open data is to break down the principles of what impacts on it:

Content: The what – Information relating to the performance of a clinical trial in the NHS, the resources it uses, the resource it requires and the content of the trial.

Scope: The why – To enable insight from data through the linkage to other data and through the exposure, via business intelligence tools that enable information to be delivered to decision makers.

Policing: The rules – Data relating to competing industry partners shall not be made available other than in aggregate form. Data linkages to other data sources both within the organisation and open data sources can be done by those within the organisation.

 Stakeholders: The who – Only bona fide individuals from within the organisation shall have access to the full data set. Decisions to open up further will be taken in conjunction with all stakeholders.

Lifespan: The when – As near real time as possible and clearly identified at the point in time it is from.

Now these key principles are known, defined and agreed across the business it becomes much easier to then create matching key principles for securing and governing the open data:

Managing the re-use of data. This becomes more important with open data. As the authoring organisation, there is a need to know, and to some degree control, where data is re-used, particularly where data linkages are possible. The implications of reputational damage from the reuse of data need to be managed and the owner or author of open data always needs to be maintained so that data can be traced back to the originator.

Corporate responsibility for the delivery of open data and the governance of it is done through the policing of a code of conduct for the use of data. Enforcing outcomes due to the result of non-compliance becomes a corporate responsibility. The outcome though, needs to be commensurate with the non-compliance, so the removal of a licence to use the open data could be a balanced measure to misuse.

Triggers for the review of the open nature of the data also need to be in place. An external review of data, maybe even an organisation-wide audit can enhance the definition of open data and the trust in this. As an organisation the NHS has an Information Governance review each year, which we now comply with as an organisation and as we further enhance our definition of open data we will audit our own open data policies and procedures.

An area of great care that has to be considered is ‘small numbers’. Can linking open data in small numbers break confidentiality and expose identifiers that should remain secure? A policy on the opening up of data relating to ‘small numbers’ has to be created and adhered to.

The veracity of open data, the speed at which open data is created and linked to other data sources needs to be managed and governed. The data that we open up has quickly become a big data set, which requires additional policies and procedures to protect it.

The design of open data security can make or break its implementation. Even the word ‘open’ can cause some issues and certainly there is a nervousness around the concepts of opening up data in any industry, which is why great care needs to be taken to demonstrate the business benefits and clearly communicate the checks and measures in place.

For our organisation the business benefits of a secured open data solution are:

  • Create the ability for “crowd source analysis” of big data
  • Data linkage between other open data, enabling new insight
  • Transparency for stakeholders
  • Data re-use to create an information eco system
  • Improved data quality through the exposure of data

By releasing these benefits the value of open data becomes apparent and the checks and measures in place allow a wider audience to be considered for access to the data. Open data needs to be actionable but also beautiful and simple. Open data creates the power to disrupt, improve and make the world a better place and makes research easier to complete, more quickly, more successfully and at a lower cost.




An expert in the field recently said to me that he was fond of a clinical research ‘reverse adage’, “A month in the lab can save 30 minutes in the library,” he had a recent version of this he shared, “A years worth of a clinical trial can save a day analysing data!”.




Implementing Information Governance and Security – A Piece of Cake

The National Institute for Clinical Research (NIHR) Clinical Research Network (CRN) is the clinical research delivery arm of the Department of Health. Today the organisation is governed through around 70 hosting contracts across the NHS, in April 2014 this will reduce to 15 as the CRN implements a transition programme that will simplify the structures for clinical research in the NHS.

Having oversight of Information Governance will be easier and implementing frameworks that can be adopted for Information Security will become something that can be audited more thoroughly, but with change comes risk. New contracts, new ways of working, new staff and new monitoring arrangements. The organisation funds around 10,000 staff who work on clinical research and ensuring they have access to training and tools to protect the organisations and participants in clinical research is a huge “piece of cake”.

The organisation is a network of structures and with this in mind we have implemented information governance and security through the availability of:

Best Practice – Ranging from training through to templates for key elements

Steering Groups – Resource structures to provide support to IG leads

Frameworks – Audit frameworks to provide assurance

Enabling the organisation to learn its own lessons in a safe environment has been a goal of the last 12 months. Reducing the risk but allowing each element of the structure to evolve its own SOPs has been important to ensue that each part of the structure has ultimate buy in. Utilising tools like those demonstrated by the Analogies Project have been particularly valuable when attempting to explain to an academic researcher why Information Security and Governance are so important.

What is the key lesson as we have learnt though as we move at significant pace towards the new structure?

“If people believe in the outcome they will help implement security and governance.”

We have spent the time explaining the why it is important without turning our resource into extras for the Spooks TV series and now they understand Information Security good practice – it is becoming second nature. As an organisation we have moved from the Department of Health’s audit tool categorisation of work to do to satisfactory in 12 months, and this is down to two things, the buy in and the access to the expertise at the ISF.

All in all, Information Security is all about getting buy in to eating the piece of cake!