… no – please don’t stop reading, this is more interesting than it sounds!
Somehow, with information governance we have managed to take what is essentially a simple subject and make it incredibly complicated – and boring! (the rather dull conjunction of the words “information” and “governance” doesn’t help).
While there is a lot written, and a lot of training is delivered on information governance, it often comes down to common sense. I always say to people – just imagine that the piece of paper in your hand has your own personal details on it – your date of birth, weight, some operation you had as a child etc. What would you do with it? Would you leave it lying around on your desk? Would you put it in the bin with general day-to-day rubbish? No, of course, you wouldn’t. Treat other people’s personal information as you would want them to treat yours.
The Information Commissioner, who oversees these things, gives details of the enforcement action it takes. It is interesting how frequently the issues are just day-to-day mistakes – documents left in a pub, emails to which someone has hit ‘reply all’, and so on.
Obviously, there are complexities which someone in an organisation needs to know about, but an organisation will only have a truly effective approach to information governance when everyone in the organisation understands that information governance isn’t something clever or obscure, but just common sense. It is about taking care of something in a way that you would hope that they would take care of yours.
Whilst information governance is common sense, there are clearly times when it gets complicated.
Timing and time limits is often a complicating issue with records. A common problem is holding on to information for too long. People tend to have records that have sat around for years. The issues about what to get rid of aren’t necessarily complicated, but it does take time and resource to properly record data when you receive it and to make sure that it is destroyed when you have finished with it.
We recently dealt with a different sort of case. Documents were being deleted too quickly. The case related to rules about the retention of medical records. The problem would have been avoided if people had worked together with their colleagues – the knowledge of what to do was available within the organisation. People just didn’t talk to each other.
The worst information governance case I have seen recently was in a fertility clinic and related to forms establishing the paternity of a child. The forms were generally handled with some care – pretty much in the same way as other medical records. If lost, however, they could ultimately lead to someone losing access to their child. It struck me how much care we (rightly) take over house deeds. Most of us never even see them – we leave it to professionals (our solicitors and banks) to handle them. Yet documents relating to paternity were handed out for the parents to take home and, ultimately, lose. There is a question of proportionality here. It is worth making sure that what you do with data is proportionate to the risk involved. If the accidental release of the data is lifechanging, or the implications of losing something are as big as they are in a paternity case, it is worth taking really good care!
One other thing to think about. Most people think of information governance as being all about rules. The approach is to adopt a set of rules and then spend as much time as possible telling people about them. But I think that a much more iterative approach is better – if people are struggling to follow a rule, maybe it isn’t a very good rule. Take this example. People in an organisation were told to use secure bins to dispose of data. But they were uncomfortable putting pieces of paper with very sensitive information (including mental health records) on them into a box that just sat in the office for a couple of weeks. What if someone broke into the box? So they got their own shredder and shredded the most personal stuff instead. The problem was that it wasn’t a very high specification shredder so shredding things weren’t completely destroying them. If documents had gone into the box they would have been destroyed using a professional shredding machine.
People kept on being told the correct policy, pretended they were listening, and then went back to doing what they thought was best. The trouble is that they were being asked to do something that they saw as counterintuitive. There was a very simple solution. If people had been encouraged to shred things using their own shredder and THEN put it in the secure box, everyone would have been happy. Instead, there was a dialogue of the deaf.
So, I have three top tips for good information governance coming out of these cases:
- Talk to colleagues – who knows, someone might know more than you do
- Be proportionate – pay more attention when the stakes are higher
- When you are designing policies, go with the flow
If your organisation requires any help with information governance, you can contact me at [email protected] or on (+44) 0207 494 5674.