A Xenocratic approach to Security. Confidentiality and Data Protection issues for health organisations - legislation, guidance, standards.

Thursday 18 May 2000

The Board Room, Moorfields Eye Hospital, City Road, London, EC1V 2CD


Brian Layzell, Independent Consultant

Gerry Gold, Senior Consultant, Security and Data Protection Programme, NHS Information Authority

Colin Nolder, Principal, Lloyd-Nolder Associates

The Xenocratic approach

Brian Layzell began by explaining that the theme of the three sessions was based upon the concept that security, confidentiality and data protection is an area where health organisations are faced with having to manage their affairs in an environment of being subject to much outside influence and in some cases direction from legislation, from national guidance etc, from national and international standards work and directives, protocols, agreements etc. And from external threats: natural disasters; technical failures; attacks etc. He also agreed that there were of course internal sources of threat as well.

A fundamental premise

Brian continued by describing the fundamental premise on which business continuity is founded viz: underpinned by good information security management and undermined by a lack of it. A definition of what constitutes "good" information security management could be found in BS 7799 which provided both a code of practice and a specification, and it should include four basic requirements viz: Information Security Policy; Contingency and Recovery Plans; Remedial Actions; Awareness Training Programme.

All personal and corporate information is vulnerable!

Vulnerable to attack from internal and external sources eg: copyright infringement. denial of service, eavesdropping, fraud, hacking, misuse by staff or outsiders, natural disasters, sabotage, system failures, theft, vandalism, virus/worms etc. Also vulnerable because of the credibility, financial, legal, personal and professional implications if something goes wrong.


Brian then began the second part of his presentation and introduced the first of the three external influences which were to be addressed. Health information may also be said to be vulnerable because of legislation, and there is a lot of it about!:

70+ Acts of Parliament, Statutory Instruments, Regulations, Orders In Council

23 EU Treaty Articles, Directives, Decisions, Proposals

7 other international agreements and conventions (Council of Europe, UN, WHO)

He explained that some of these were generally applicable (ie not health specific) but others were directly relevant, although in many cases they related to very specific circumstances, which may not be encountered every day. Nevertheless they added up to an extremely complex picture for NHS Guardians, Data Protection and Security Managers as well as Personnel (Human Resource) and Training Departments.

Within the list of legislation which can affect information held by health organisations, there were two Acts which Brian considered worth focusing in on here, because of their direct relevance. He concentrated on just a few salient points on specific issues with implications which may not yet have been fully digested.

Data Protection Act 1998

Apart from the obvious, this Act could have two significant implications for the future direction of healthcare:

cross border transfers:

where data is transferred especially outside the European Economic Area. Elsewhere transfers without explicit informed consent may not be OK. The EU are planning to designate certain countries as having 'adequate' status, but the situation was still unclear. Brian added that transfers can include manual notes about an individual faxed or telephoned to another country with the intention that they will be held on computer or in a structured record filing system.

information security management (BS 7799)

The DPA makes specific reference to the requirement for all data controllers to demonstrate that they have effective information security management in place - and make failure to so do a criminal offence. In the guidance issued by the DPC, certified compliance with BS 7799 is cited as one of the obvious ways of demonstrating conformance with that part of the Act.

Crime and Disorder Act 1998

This Act was relevant to disclosure of personal information and specifically to information sharing between agencies (especially with police) The relevance to health organisations was in terms of transfer of patient identifiable information to other agencies - eg Local Authorities who may well release such information to police as discharge of their responsibilities under this Act to put into place effective strategies to reduce and prevent crime in their areas. Guidance for health organizations was needed.

Proposed legislation

As if existing legislation is not making life complex enough, Brian described three Bills currently going through the legislative process which will have real implications for anyone in health organisations concerned with information. He felt that it was worth highlighting the major areas of concern.

Regulation of Interceptory Powers Bill

  • relevant to email as well as 'conventional' traffic
  • redefines law enforcement/security agencies' powers (phone tapping, email interception etc)
  • relevant to encryption/decryption of encoded traffic
  • will affect the PKI arguments

Electronic Communications Bill

  • Relevant to e commerce as well as other form of electronic communication and gives legal basis for electronic signatures (implements EU Directive)

Freedom of Information Bill

  • relates to information held by all public bodies.
  • extends subject rights of access to personal information to 'unstructured records' - ie records relating to other persons or activities in which an individual might be identified as a third party.
  • provides rights of access to corporate information held by public bodies.
  • gives (wide ranging) grounds on which public bodies may refuse disclosure.

A need for guidance

Brian concluded by stating that because of the amount and complexity of legislation - and in view of some proposed new laws in the pipeline, the management and security of information was becoming even more critical, with the attendant risks of civil litigation and criminal prosecution for failure to get it right.

National Guidance and Policy

Gerry Gold then briefed the audience on action that was taking place centrally, emphasising that the HNS focus was now on dealing with 'risks'. There will be practical guidance on new legislation as well as briefings and warnings about threats and an improved incident reporting system.

A new organisational setting

He described the current national organizational arrangements which followed the NHS Executive's 1998 Information Strategy ‘Information for Health', which had divided the previously existing organisation for the NHS in England into two parts viz:

  • The NHS Executive’s Policy Unit, based at Quarry House, Leeds

setting the standards and dealing with policy issues;

  • The NHS Information Authority, based at Edgbaston, Birmingham

providing the programmes to address and implement the policies.

  • a new national advisory body

He added that new from June 2000 would be the appointment of the new National Advisory Body on Security and Confidentiality. That body would be accountable to ministers, but supported and serviced by the NHS Executive’s Policy Unit - which has a brief to support strategic committees and other groups and the implementation throughout the NHS of emerging UK legislation.

  • policy foundations

He set the foundations and context for current national policy as being in three main initiatives:

  • The Caldicott Committee’s Report 1997;
  • 'Information for Health' 1998;
  • The Data Protection Act 1998.

He described the Policy Unit’s role as being to commission the development of standards, protocols and methods to address those policies.. The Unit is also responsible for the central support arrangements for Caldicott Guardians and their support staff.

PKI for the NHS

Gerry then went on to describe the proposed cryptographic services framework for the NHS, which will be based on the provision of a full Public Key Infrastructure (PKI.) PKI provides a framework by which individuals and organisations can communicate securely.

A change of definition for "protection"

Finally, Gerry reminded the audience that in the past the main focus of the central programme had been just to 'protect information'. With the publication of the Caldicott Report, the profile of the programme had been raised to 'protect patients’ privacy'. Now, it is to 'protect the NHS'.

International Standards

Colin Nolder (who is a member of the British Standards Institute’s Mirror Panel on Security, Confidentiality and Safety, and a Principal UK Expert) described the wider international standards setting process for addressing the issues embodied in the subject content and explained their context and relevance to health organizations in the UK.

He described briefly (with the aid of diagrams and organisation charts) the role of the International Standards Organisation (ISO) and the European Comite European de Normalisation (CEN) and their respective working groups - TC215 and TC251.

The BCS' role

This was but one area of national and international standards activity in which the BCS continues to play a leading role.

Standards are relevant

Colin concluded by observing that although it might seem remote and not really relevant either to people working in a local setting, or to the general public, in fact, it was usually as result of the protracted and sometimes convoluted deliberations in these bodies (in which the UK representatives play a significant part) that standards which become an everyday part of life for those involved with information security are devised, tested, agreed and thus implemented nationally.

The three speakers brought the series of presentations to a close by posing this fundamental question. And went on to answer it by asking the audience to consider the cost of not doing it in terms of the following implications/risks:

Q. Why worry about Information Security Management?

A. Consider cost of doing it V cost of not doing it

  • financial
  • legal - civil litigation/criminal prosecution
  • professional
  • personal
  • loss of public confidence

The simple overall message was that whoever you are, wherever you work, you and your organizations cannot afford not to worry about it!

Security is everybody's business

All of which in turn pointed to a clear need to state the obvious! This is an issue which has to be owned by senior management - but the audience were enjoined to remember that 'security is everybody’s business!'


Perhaps not surprisingly, given the emotive and controversial nature of some of the content of the presentations, there followed a lively and animated discussion involving just about everybody. Although it was not possible to draw any single conclusion from the discussions, it became clear that there was much concern about proposed new powers of law enforcement and security agencies and how new legislation would affect those working in health organisations in terms of addressing any potential conflicts with existing laws and with their obligations of confidentiality.

One overall message seemed to be that there was a lot of confusion for data controllers and data subjects alike and thus there was continuing need for more central guidance and support - and even some direction might perhaps be welcome in this area?