Re: Is it time to put down this terminally ill scheme?
>>"All staff with access need to attend privacy training and be aware it's a sackable offense to breach data protection."
In practice, I do not believe this is sufficient for a couple of reasons. I was involved during CfH (Connecting for Health) as it was and was an active part of the pushback from Primary Care community on privacy issues. Apparently I can be extremely annoying so I try to use that power for good. Anyway, on questioning about what would stop someone looking up deeply personal information they weren't supposed to we got the following response (paraphrased):
"Only approved people who have committed to our strict privacy policy will have access to the data".
Sounded great until you realized that "approved people" meant every receptionist at every GP practice in the country, let alone all the other people above and beyond. Oh, and that "strict privacy policy" meant one more page in the pile of barely read documentation you hurriedly sign on your first day and then forget about. In practice, staff turnover can be pretty high and there's a constant churn of low-paid (underpaid, usually) people in and out of hospitals, GP practices, NHS walk-in centres and PCTs (Primary Care Trusts) and contractors... all of which need access to the very poorly segregated data sets of the system. You can say "make it a sackable offense" but I can say burglary is a criminal one, it doesn't mean that taking all the locks off all the houses isn't a very bad idea.
Which brings us on to audit trails. When we pushed the CfH people on this we were told that access history was auditable. This seemed odd to me because I'd been poking at the system and had come across no audit system. For note, I had been able to access my own medical data at my registered practice (I tested with my own for ethical reasons, but this doesn't make a difference - there was no special permission granted because the name on the account I was using happened to match the name of a patient on a different system). Up came my records. So I pushed on how their audit system worked - what did it log, how could access history be viewed, what events raised alarms and who did they reach? That sort of thing.
After a lot of pressing them, we were told that there wasn't an audit system, they didn't know exactly what data would be kept when there was, there were no current plans for triggering alerts (particularly hard to get response on that one as they kept saying there were but kept refusing to divulge them, which we took to mean that their "plans" were a line on a document somewhere saying 'we should do this'). And yet we had been told that there was an audit trail in place. They lied. And were nowhere close to being able to turn it intro truth, either.
So whilst it may sound all well and good to say "staff need to be aware that its a sackable offense", what that really means in practice, is millions of low-paid, frequently temp'ing staff having full access to your medical history and personal information. And that of those close to you, as well. No-one ever called me up to ask why I was looking up the information of that patient (who happened to be me but could be anyone else) and nor ever would they. And if I had been someone wanting to know who the father of a child was, where my ex-partner was living, why my daughter or son had been to see a GP, if my boss had any interesting items on their medical history or any of a hundred other abuses of that information, nobody would ever know that I knew that from having sat at my NHS computer one day and looked. And they want to throw that open to innumerable people who have no reason to have access.
Data security is not provided by a HR document mass-given to an ever-revolving tide of clerical staff and others. It begins with data segregation and you take it from there.