What will it be like to work in the Centre of Excellence?

Blogpost from Stephen Curtis, Director of the Centre of Excellence

Now that we are formally live, the Centre of Excellence enters a very exciting phase. Over the coming weeks we will be starting our recruitment campaign: a crucial stage in the development of the Centre. The staff will have a number of vital roles. Firstly, they will support local areas in their information sharing work. Central to this is understanding how services are being transformed locally, and the role information plays in helping to deliver this transformation and provide better services for people.

Secondly, the staff will need to help to identify the barriers to Information sharing. Many people think these are primarily legal or technical, and there is no doubt that there are legal and technical issues. However, local areas will often have people who understand the legal and technical issues, so the staff of the Centre of Excellence will play a crucial role in helping to unpick other barriers.

  • Is it clear what information needs to be shared?
  • Have the services defined why the information or data needs to be shared?
  • Do they know what they are going to do with it?
  • How will it help the service user?
  • Has anyone spent time working on these questions?!

Working through these sorts of questions will help the local area unpick the underlying issues with information sharing. It will also help tease out whether there are any national issues that need to be tackled. Are there real legislative barriers? Does there need to be reassurance given about information sharing through communication? The evidence of what is happening ‘on the ground’ will help us to influence what happens at the national level.

hands planting seedling

Getting our hands dirty. Image courtesy of Pink Sherbet Photography (flickr Creative Commons)

So the roles are very hands on. We’ll be ‘getting our hands dirty’ with the nitty gritty of what’s happening on in localities. And crucially, writing up, sharing and disseminating what we are learning. We’ll have support for all this – from Government Departments who are engaged in our Steering Group, and from academics who have formed an advisory panel to work with the Centre. Over the coming weeks, you’ll be seeing a lot more about our recruitment. You’ll already have picked up that they are challenging roles. But we believe they will be fulfilling. We want to ensure that people are put at the heart of service transformation, and information sharing is central to making that happen.

Centre of Excellence for Information Sharing officially launched

Earlier this week, on the auspicious day of April 1st, the Centre of Excellence for Information Sharing officially came into being.  The Centre, which is a partnership between central and local government, builds on the work originally started by the IISaM project, but expands it across the whole of England.  We’ll also be working on a range of policy areas – wherever the transformation of public services relies on information sharing to succeed.  In order to do that, over the next few months, we will be recruiting; if you think you might want to get involved (we’re open to secondments, part time or short term roles), why not drop us a line?  It’s an exciting time to get involved!

It’s also an exciting time over at the Public Service Transformation Network – not least with the launch of their new website.  We work closely with the Transformation Network, providing information sharing support to their 13 local areas as they understand the needs in their area, and redesign their services accordingly.  The Transformation Network themselves also had announcements to make this week, including the news that there is a further £410 million to distribute to local areas to accelerate their transformation plans, and the announcement that an independent Service Transformation Challenge Panel is being set up, to advise on what needs to happen locally and nationally to support transformative work.

Of particular interest to those of us with an interest in information is the launch of the Cost Benefit Analysis framework, which allows local areas to consider the financial impact of their proposed changes, and the Evaluation guide.  We know how hard it is to measure the impact of changes to services on the lives of service users – that becomes even more tricky when you want to evaluate the contribution of information sharing to making that happen.  So one of our key activities for the coming months will be to capture more case studies and stories from the areas we work with, to help build an evidence base on the role of information sharing.

Forging a new approach to academic collaboration

Over the lifetime of the IISaM project, we were lucky enough to work with a range of academics from different backgrounds. In Bradford, Sue Richardson brought her perspectives on the differing systemic influences on information sharing behaviour (such as professional identity, and regulatory regime). She shaped that into a series of multi-agency workshops which gave participants the chance to explore differing attitudes to sharing.  In Greater Manchester, the team of academics behind the Framework for Multi Agency Environments (FAME) worked with a local partnership to help them explore practical steps in their service design work.  And in Leicestershire, the local partnership built on their longstanding association with Mark Hepworth from Loughborough, who led the process to develop a capacity-building e-learning module on sharing information.

As we move towards the launch of the Centre of Excellence, we are taking those relationships forward, developing new ones, and working out how to establish the most effective governance in the longer term.  So today, we are up in Newcastle with those participants, and others, to develop an ‘Academic Advisory Panel’. Shaped by the team and our academic colleagues, we envisage that it will sit alongside the Centre’s governance routes, providing input, insight and independence throughout.

We’ve already benefited as individuals from the reflection and context that working with academics provides, so as the Centre grows its team, we are putting some structure around that for new staff.  The evidence we gather from local places can be used to inform their work, and local places could also benefit from new perspectives and emergent academic thinking on information sharing issues.  The expertise and long term perspective of academics will also be useful to the Steering Group, as they give strategic direction to the Centre’s work.

This way of working is not one that is replicated in many other places, so, like much else in the Centre, we are shaping something new.  But it shows how many parties are interested in working on information sharing issues.  A collaborative approach, across central and local government, bringing together policy development, local evidence and academic thinking? The possibilities are enormous!

Information sharing on the ground in local areas

Earlier this week, the Steering Group for the new Centre of Excellence for Information Sharing met to discuss progress towards the Spring 2014 launch of the Centre.  We were pleased to be able to give a really positive update, and you can probably see some of the results of our work starting to appear on the website and Twitter, with a new name and colour scheme now online.  Centre logoOne of the most noticeable developments over the past couple of months has been the enthusiasm across Government departments for the Centre – once the idea came into being, lots of different departments started suggesting we might be able to help them.  We are already set to support the areas within the Public Services Transformation Network, and we’re in discussions around policy areas such as welfare reform, integrating health and social care, and addressing Gangs and Youth Violence.

The main focus for the Centre, however, will be on working with local areas to help them find and implement information sharing solutions.  Next week, two of the team are heading down to Bath and North East Somerset, not just to take the waters, but also to meet with colleagues from the Council and partner organisations as part of a major project they’re working on.  The aim is to make the Council and their partners more ready to use the data that they already hold, to understand who uses their services, and how services might be better designed around their needs.  This means doing quite a lot of work to prepare – things like getting governance right, developing policies and procedures, and working on data quality.

roman baths

Bath’s baths – photo courtesy Swamibu (Creative Commons)

But one of the great things about Bath and North East Somerset is that the change isn’t just happening in isolation – it is being driven by a desire to reform services, such as the support for people who struggle to find sustainable work.  Last month, we were part of a workshop to look at three fictional personas, and explore how they might currently interact with the public sector.  Debt advisers, community mental health practitioners, skills development officers and commissioners all came together to consider how we might do it better, and all of them were talking about how information sharing could support that process – instead of avoiding the conversation, or filing it under ‘too hard’.

workshop photo

Participants consider their options at Swindon’s information sharing workshop

Swindon is another area where information sharing is having an impact.  The team ran a workshop for the Council and its partners, using the work that had already happened about Troubled Families to start a conversation about what the barriers might be to better information sharing, and how we could start addressing them.  The realisation that many of the issues are cultural or organisational (such as lack of resources, concerns about the issues within old IT systems, or worries over how information might be used) was one that is familiar, but it left attendees starting to explore what could already be shared, using their better understanding of how each organisation actually works.

 

Southend’s health and social care information sharing issues, and a trip to the Data Protection conference

We have been busy in the last couple of weeks, talking to people who are working on information sharing issues in local areas.  This time last week, we joined a workshop for Integrated Care and Support pioneers, the 14 areas that are exploring new and innovative ways to deliver joined up health and social care.  Southend described a barrier to information sharing which was preventing partners bringing together data from health and social care organisations for the purposes of planning and designing the new approach, so a team of national experts was dispatched to investigate and feedback at last week’s workshop.  Then on Monday of this week, we were invited to attend the annual Data Protection Conference of the Information Commissioner’s Office, where over 750 DP professionals were gathered to learn about new developments from the ICO and elsewhere.  At both of these events, it was clear that there is a lot of interest in information sharing issues, and in the work of the new Centre of Excellence – unsurprising, really, when you think about the pressures on the public sector at present.  The needs of citizens are changing (for example, with an ageing population); citizens want their public services to be better tailored to those needs (we’re becoming used to Amazon offering us other books we might be interested in!); and the climate of austerity seems set to continue.

The case in Southend was a fascinating one, and one that surely must be replicated elsewhere in the country.  The Health and Social Care Act 2012 created a swathe of new structures to govern and deliver healthcare, with some unforeseen consequences for the flows of information underpinning the system.  When commissioners seek to understand the needs of their local area, there is often a need to bring together datasets from a range of sources – such as the local GPs, the local council, perhaps providers of social care.  Matching those datasets can be a real challenge, and it may rely on using personal information to make that happen – postcode, say, or the name of an individual – before it can be anonymised for analysis.  Under previous legislation, those responsible for commissioning health services were able to access personal information, in order to make that matching possible; but new legislation prevents this.  Commissioners were therefore left with a limited understanding of what services are required locally, to the obvious detriment of local residents.

The expert panel who worked with Southend have been able to demonstrate that the barrier to information sharing was (on this occasion) a real legislative issue, and one which requires – and is receiving – urgent attention.  However, within their report (which you can see online at the ICASE site – registration is required, but it’s free to access), a number of other barriers were also picked up which would be very familiar to regular readers: clarifying the precise aim of the information sharing, in order to specify who needs what and when? Check!  Addressing this kind of barrier doesn’t just involve invoking the enormous amount of information governance expertise which already exists in health and social care – it means bringing those specialists together with commissioners, service designers and those delivering the service, to design the right process.  This is exactly the kind of work that the Centre of Excellence will specialise in; and we’ll be capturing what we learn as case studies and evidence, to share here on the website.

It is this way of working that created such interest at the Data Protection Conference (and not just the bowls of sweeties adorning our stand).  The conference attendees told us that they are often in a reactive position – a request for information arrives, and they need to respond.  But the way we work in the public sector is changing, and they often need to share their expertise and get involved at a more strategic level.  The IISaM project gave us great insight into the issues that are emerging in the local areas who are radically reforming the way they do things, and that stands us in good stead for the introduction of the new Centre of Excellence.  So we will be working over the coming months to consider how the Centre, and all of the other professions who need to involved in information sharing, can support leaders and practitioners to make information sharing everybody’s job, rather than nobody’s job.

 

 

What does care.data mean for information sharing?

What a difference a week makes.  The rain abates, and the floods are no longer top story on the news.  If your front garden (or front room) are still soggy or submerged, you’ll still be thinking about the floods, but it is no longer a priority for most of the British public.  In the two weeks since we last blogged about care.data, the debate around the introduction of the system has grown, with the latest news being that NHS England has delayed roll out for six months.  If you dip into twitter, or read comments under online articles (perhaps not the best place to look for considered and unbiased views), there is a huge amount of hostility being expressed to the proposal.  So what can we learn from this, that might help future debates on information sharing?

1.  Don’t expect the public to see information sharing as a good thing, per se.  One of the easiest traps to fall into is to believe that the benefits of information sharing are self evident – cheaper and quicker development of drugs, a better understanding of how the whole NHS system spends its money, more effective treatment for the population, especially those affected by rare diseases.  Then, for those of us interested in whole-system approaches, there is also the opportunity to take a more holistic view of the needs of citizens – sharing information to wrap all sorts of services around individuals and families.  But those benefits need to be articulated, and communicated in a way that is meaningful to people.  The difficulty of getting this right can’t be underestimated – a plain English leaflet, delivered to every household in the country, sounds like it ought to work, but NHS England are now being asked to consider the other approaches available.

2.  Don’t forget the natural (and understandable) scepticism of many of the public.  The sharing of information doesn’t often make the news, but when it does, it is usually because it has gone wrong – personal details have been lost, destroyed or otherwise obscured.  This makes the public sceptical about the safeguards that protect personal information – even if those with a legitimate interest in accessing the data know how robust the safeguards are!  A complicating factor in the care.data debate has been around the issue of whether commercial organisations should be able to access the data.  The majority of medical research is conducted by those organisations, but many people are concerned that their data is being used for commercial gain, rather than the public good.  This leads to calls for the data to be restricted solely for non-commercial medical research, which excludes many of the potential benefits of information sharing with other public services.

3.  Use ‘nudge’ ideas wisely.  Opt out rather than opt in makes sense in theory; it uses inertia for maximum public benefit.  Research undertaken by Ipsos MORI demonstrates that, even when people say they are concerned to protect their personal information, the majority don’t take the basic steps already available to them, such as changing default settings on their computer’s browser.  But it may create a perception that a proposal is being ‘sneaked through’, or that something is happening which the Government would rather you didn’t know about.

4.  Individuals can express differing views on information sharing, depending on who is asking, and what you ask them.  A debate that often surfaces is to what extent the public think their information is already shared, within the health service, or across the public services more widely.  If you work in a local authority customer service centre (for example), you might be able to give plenty of examples of callers asking why they have to update the electoral roll, when the council already knows they live there because they pay council tax!  So when surveys are published which state that a certain percentage of the public are for or against something, we need to be mindful of who has asked what question, of what group.

To return to the flooding, a recent article on the BBC reviewed the recommendations made in Sir Michael Pitt’s report on lessons from the 2007 floods.  Many of the actions had been followed up – flood defences built, environments managed.  But the report included suggestions for what householders themselves need to do to prepare for flooding – having an emergency kit ready, moving sockets up the wall, keeping a stock of flood boards and so on.  The BBC concluded that most householders in flood areas hadn’t taken those actions – the impetus was on the Government to prepare.  If this year’s floods have been a prompt that we all need to take responsibility for preparing for flooding, perhaps the debate around care.data will prompt us all to take more interest in what information is held and shared about us, and what risks and and benefits could result.

Making information sharing work? It’s all about the people

For the last two years, the IISaM project – soon to evolve into the information sharing Centre of Excellence – has been spreading the message that making information sharing successful is all about focusing on the people.  Yes, there are often IT problems.  And yes, real legal barriers do exist – not just the Data Protection Act, but other legislation and regulation.  But time and again, we’ve found that the cultural and organisational issues lie at the heart of what is possible.  Differing priorities, lack of resource, and the idea that information sharing is nobody’s job – those barriers are crucial to address.

Photo of crowd with caption It's all about the people

No doubt, our message has been more openly received because of initiatives such as the Behavioural Insights Team (or ‘Nudge Unit’), who look at the psychological factors in behaviour change.  Books such as Nudge have changed the landscape for everyone who is working to try and improve and transform public services.

So it has been with great pleasure that this message has been seen coming from the departments and agencies we work with.  A recent debate, on the Communities and Local Government Select Committee’s inquiry into Community Budgets, highlighted the importance of information sharing to enabling the transformation of public services, with the Committee Chairman Clive Betts MP saying:

I was pleased that the Government seemed to recognise that data and information sharing is a potential problem. The Secretary of State was quite open in saying to the Committee that he thought that, very often, there were no real legal obstacles to data and information sharing; there was just a presumption that people could not do it. It was more a matter of culture and belief than a real obstacle, so … the efforts to get local authorities and central Government Departments to set up a centre of excellence for information and data sharing are all very welcome, because they do seem to show the Government taking this matter very seriously.

Over at the Public Accounts Committee (who are looking at the programmes which exist to help individuals with multiple, complex problems), discussion of the ESF programme on worklessness and the Troubled Families programme also included the understanding that information sharing is vital to working with people more holistically.  Members of the committee, and witnesses giving evidence (such as Sir Bob Kerslake, below), noted that it isn’t simply about computers or legislation:

To be honest, often the barrier to data sharing is not legal at all; it is cultural.  It is history; it is practice.  One of the big things that the programme has sought to do is test, really, which of these issues – these so-called reasons why you cannot share data – are just down to culture and practice, and which are down to people being inhibited by statutory regulation.

All of this suggests that the Centre of Excellence has an opportunity to make a real impact by supporting information sharing for public service reform.  And we’re already working with local areas to start making a difference – more of which next week.

Health information is making the news

It’s not often that you hear about the things you do at work being discussed in the press (unless you’re a celebrity, I suppose) – and particularly not if you work on information sharing issues.  But in the last few weeks, the topic of sharing health information has been much in the news.  It makes the front page of today’s Guardian (“Police will have ‘back-door’ access to health records despite opt-out, says MP”) and has also been in other articles here, here and here, in comment pieces here and here, and on the letters page.  It was discussed on the Today programme on BBC Radio 4; the ICO have blogged about it.  It was even source material for The Now Show (God bless anyone who manages to make jokes about pseudonymisation).  It seems that the value of health data is beginning to be understood, whilst the legitimate concerns about how it might be used, who might use it, and how it will be looked after are also coming to the surface.

One of the most difficult things when trying to gauge public opinion is that data sharing means different things to different people.  Most often, politicians and public service administrators talk about case by case information sharing – so, Mrs Jones is about to be discharged from hospital after a fall at home, and the housing provider is made aware that Mrs Jones will now need a hand rail, and that it needs to be fitted ready for her return on Tuesday morning.  There’s a scheme in South East Essex called the Single Point of Referral that takes this kind of information sharing a stage further.  In this situation, when Mrs Jones (or her carer or neighbour) has a fall and rings 999, a clinician visits her at home, decides whether she actually needs to go into hospital, and then refers her straight on to receive the kind of support she actually needs (physio to help get her mobile; someone to fit a handrail; visits from the district nurse while she recuperates).  Most people would agree that this kind of information sharing is what we’d all like (though there are contentious issues, even in these kinds of scenarios).

Then there is the type of information sharing that the new service care.data will allow – large scale datasets, being used for analysis and planning.  Much of the debate about care.data was focused on pharmaceutical or insurance companies, using health data to understand more about drug interactions or to develop new treatment approaches.  But in the example above, health information isn’t just being used for health purposes – it’s having an impact on social care.  And health information is vitally important to all sorts of public policy issues: for example, sending someone who has been long-term unemployed to a CV skills clinic might be a complete waste of time if their depression or anxiety means they couldn’t cope with job interviews.  If we know that, on average, 15% of people who have been unemployed for more than 6 months are likely to have mental health issues*, we can design or commission services which help them more effectively.  That doesn’t mean that we want to end up with a list of all those people who are long-term unemployed with mental health issues, it just means we need to be able to cross-reference datasets, in order to understand the scale of the issue and to plan effectively, so that when someone with those needs is in front of a Jobcentre Plus adviser, they can be referred to the service they need.

This kind of cross-referencing and analysis can be managed in such a way as to protect the privacy of individuals, and the controls being put in place by the Health and Social Care Information Centre are very strict – I’ve learnt so much in the last couple of months about how to generate encrypted unique identifiers, and I’ve barely scratched the surface!  But the concerns that individuals have are completely understandable, particularly when it comes to data losses – government, and the NHS, haven’t always had the best record of keeping data safe.

Using health information in ways such as these has the potential to bring enormous benefits, both to people receiving these services, and in making sure that the public money we spend is spent effectively.  But it creates a demand on all of us, to think differently about the value of our information, and about the level of risk we are prepared to accept in return for those benefits.  The information we share with our doctors, social workers or Jobcentre Plus advisers is different to the information we share with Tesco or Google; the benefits we could see are that much greater, as a consequence.  We are fooling ourselves if we think that sharing nothing means there is no risk – so the debate needs to move beyond simply ‘opt in or opt out’, to help us all think through these important questions.

*NB this figure is entirely made up.

The Record of a Christmas Carol

A final festive flourish from Anne Hopwood, Corporate Records Manager at Rochdale Council.  If you’ve enjoyed the series (or used it with your own team or organisation), why not let us know?

It was Christmas Eve and as usual Ebenezer Scrooge the Record Keeper was sitting in his office, feet up on an archive box full of unindexed files, looking at vintage computer games on Ebay.  He hadn’t updated the electronic file management system for 6 weeks because he just didn’t see the point, and he only checked his retrieval requests once a month because he just did not see why people still needed paper files anymore.

Christmas treeWhere did it all go wrong for Ebenezer?  He was a child of the 90’s.  He truly believed that paper was dead and electronic records were the future, so how did he end up here in the paper pit?  He had such high hopes when he started in Records Management; providing sexy new electronic systems that gave you what you wanted at the touch of a button, sending frontline workers out in the community with digital pens, tablet computers and fancy do-it-all smart phones – but here he was, shuffling paper.

Ebenezer was getting warm in the paper filled office and was just beginning to doze when he noticed a bright light under his door.  He was about to approach the door to see what the fuss was about when it was flung back with such force that it almost came off its hinges.  Standing in front of him was a large jolly man wearing a bright blue suit with a great mane of white hair flowing to his shoulders.  Before Ebenezer could say anything, the man said

“Come, come my boy!  Time is a-passing and we must reply to our Data Protection requests before time runs out!”

Before he had chance to say anything at all, the Ghost of DP (for that is who he was) had grabbed his hand, and was leading him down the stairs which Ebenezer was sure had not been there before.

Christmassy street sceneThe ghost took him to an ordinary house on an ordinary street that could have been anywhere.  At first it wasn’t clear what he was supposed to be looking at, but a young man appeared, limping slowly along the street.  The man hesitated at the door of the house, took a deep breath and knocked just loud enough to be heard.  The woman who opened the door bore a striking resemblance to the man, and they spoke for a few minutes.  Then something happened that melted Ebenezer’s heart – they hugged as if they never wanted to let go of each other.  Ebenezer looked in askance at the ghost of DP.

“That’s Tiny Tim.  He is  has been in care since he was a baby.  Last week he got to see his social care file and found out he had a sister.  They have never met before tonight.”

Ebenezer was shocked.  Surely he would have found her if he hadn’t seen his file?  Someone must have known?  The Ghost of DP assured him that this was not the case; Tiny Tim had lost touch with all his foster carers and never knew his family.

The ghost of DP asked Ebenezer to look over his shoulder.  He turned to see the same man sitting alone eating a Christmas dinner for one.  This would have been Christmas for Tiny Tim if he had not found his family.

Ebenezer squirmed inside and thought about the boxes of unindexed care files in his office.  If Tiny Tim’s file had been one of those, he would be spending Christmas alone.

He turned to speak to the Ghost of DP but the street was empty.  Ebenezer started walking down the street, deep in thought, when he fell and twisted his ankle.  He looked at the road and noticed that he’d been felled by a massive pothole.  He looked up just as a woman in a brown flowing dress, with flowers in her hair, and a laugh like sleigh bells on the breeze, reached out to help him up.  She told Ebenezer that she was the ghost of FOI:

“If only Mr Roadcare had got the information he needed when he asked about where the biggest potholes were in the district, his pressure group might have been able to get something done about this one!”

Unfortunately the records he needed were in a paper complaints file that couldn’t be found.  Ebenezer knew why it couldn’t be found; he was using it as a stand for his computer screen and hadn’t bothered to extricate it when he was asked.

Ebenezer puts his head in his hands and feels ashamed of the way he has treated the precious paper files.  When he looks up, he is back at his desk and it’s still Christmas Eve.  Ebenezer knows he has to change his ways.  He now understands the value of his files ; he knows how much easier he can make the lives of the people who need the information they contain.

He starts straight away and indexes the archive boxes around him.  He feels happy that he could now help another 152 people just like Tiny Tim if they wanted access to their files.  Then he extricates the complaints file from under his screen and files it away properly for next time.  Ebenezer then makes a list of all the things he can do to help people know where their files are, what is in them and when they can be destroyed.

Ebenezer truly is a changed man who takes care of the paper files and understands their true worth.  He does such a good job that the Information and Records Management Society ask him to be the keynote speaker at their next annual conference.  This truly is a Christmas miracle!

Huge, huge thanks to Anne for writing all these fantastic Christmas stories.  And a very Merry Christmas to all our readers – see you in 2014!

christmas04

A Christmas disaster – Santa loses his unencrypted database

A festive warning today from Anne Hopwood, Corporate Records Manager at Rochdale Council.  Be not afraid, though, because there’s a cheery message to finish off before Xmas…

All the preparations are over, the deliveries are done and Santa is on his way back to his new workshop for a well-earned rest.  His last delivery was to a family living in Prestwich, and he took some time out to play with their cats and drink the rather large malt whiskey that had been left for him by the kind little girl who lived there.

As he climbed back onto his sleigh, he decided to give Dasher the reindeer a playful pat on the nose as she had been particularly good at keeping the other reindeer in order this year.  He was happy he had promoted her to head reindeer on Rudolph’s retirement.

Santa had forgotten that Dasher was allergic to cats and the fur on his gloves had made her eyes water.  She shook her head and set off back to the North Pole, leading the others quickly and carefully home…until…ACHOO!  Dasher gave a sneeze that shook the sleigh from end to end.

Santa wUp-Up-and-Awayas very worried about Dasher and landed the sleigh on the next available roof to check she was ok.  Dasher and the rest of the reindeer were surprised at the power of the sneeze but were soon laughing and joking again.  As Santa got back into his seat he noticed that his Sleigh Activation Navigation Tool Address (SANTA) database was missing from the dashboard of his sleigh.  He was really worried because he knew that he hadn’t encrypted the database and the names, ages, addresses and some other sensitive information about all the children was now available to anyone who found the SANTA database.

Santa immediately mobilised the Elf Information Rescue Squad to look for the database, and although they looked until dawn they could not find it.  Dizzy the Data Protection Elf was furious with Santa, because she had told him lots of times how important it was to encrypt his database or at least password protect it.  But he just never found the time to get it sorted out; he always said that the children were more important than the technology.  Only now that it was lost did he realise how important it was.

Santa was very sad and very annoyed with himself.  Dasher was distraught because it was her sneeze that caused the SANTA database to fall.  Dizzy was worried because she knew that the ICO would take a very dim view of this loss.

Even though it was now very early on Christmas Day morning, with a heavy heart Santa sent messages to all of the emergency services to keep an eye out for the database.  He also contacted the ICO to tell them what he had done and prepared a message for all the people he had let down.

He found the message very hard to write:

Hello Everyone

I am sorry to tell you that I have lost the SANTA database which contains all of your names and addresses, details of what you got for Christmas and also if you were on the naughty list.  The database is not encrypted or protected in anyway and anyone who finds it will be able to access your information.

I feel terrible about this and cannot apologise enough but it was all my fault.

I have told the ICO who I am sure will have something to say about it and will help me to make sure it doesn’t happen again.

So very sorry, Santa

The ICO had no alternative but to fine Santa for the loss of this unencrypted database, because he had put the children at risk by losing it.  They fined him £150,000 pounds and made him promise to work with them to do better next time.  As if this wasn’t bad enough, the Tooth Fairy (who was going to share his information with Santa next year) decided that he couldn’t be trusted and won’t share his address database with him after all.

Dizzy the Data Protection Elf resigned as she was so upset; unfortunately her CV was tainted by her association with such a high profile data breach and she never worked in Data Protection again.  Dasher lost all confidence and is now reserve reindeer and very rarely flies.

Santa reindeer elfSanta realised that his error had far reaching consequences and now only uses encrypted external media.  He regularly attends ‘Data Breaches Anonymous’ and has become a regular on the conference circuit talking about the dangers of not encrypting information stored on external media.

So remember, the consequences of not looking after information can be more far reaching than you can imagine.

Fear not! Next time: Ebenezer Scrooge the Record Keeper has a ghostly visit…