For anyone whose job involves handling people’s personal data, November 2007 was a month to remember. It was then that chancellor Alistair Darling announced to Parliament that HM Revenue & Customs (HMRC) had lost detailed data about a whopping 25 million people – everything from their name, age and address to, in some cases, their bank details.

In the weeks and months that followed Darling’s announcement, many organisations across both the public and private sectors owned up to similar data security failures. Every public body looked carefully at their procedures – and that meant some serious thinking at the NHS Information Centre’s Leeds HQ.

Healthcare data is often extremely private, yet unfortunately the NHS has had its share of data loss scandals: a check revealed that nine trusts have lost more than 160,000 patient details, for example. And the NHS Information Centre handles a vast amount of delicate info: the centre collects and analyses data on everything from GP earnings and the effectiveness of breast cancer screening to patient complaints and the performance of ambulance services, before feeding it back to trusts and health care commissioners and managers.

Clare Sanderson started work as the Information Centre’s director of information governance just a few months before the HMRC story broke. “Clearly, that had a massive impact on organisations like ours,” she recalls. “After HMRC’s [data] loss, it became all-too-apparent just how easy it is for mistakes to be made.

“It’d be fair to say that we upped our game”, she says, adding: “It is not that we weren’t doing things right in the first place. It just gave us a bit of a wake-up call. Even with the right policies and procedures in place, you still need to always be on your guard.”

At the Information Centre, staff are largely dealing with anonymous data – records that have undergone “pseudonymisation” so that only those with the right clearance can find out the identity of the patient. In some cases, explains Sanderson, it is not possible to draw any conclusions from the data without knowing these details – in order to track a patient over time, for example – and such access is controlled through a system of smart cards and secure servers. When data is moved, it is encrypted and sent by an approved courier; the HMRC’s loss famously occurred when unencrypted disks went missing in the post on their way to the National Audit Office.

Sanderson believes that the NHS is in a slightly better position than many other public sector bodies. “The NHS has always had a far better respect for information than perhaps other organisations have had,” she claims. “We have always had it emphasised to us how sensitive health information is.” Therefore, she says, when the Information Centre reviewed its systems post-HMRC, it did not find itself wanting. “We just needed to continue as we were, but also become a little bit more aware.”

Still, not all of the NHS has fared so well: the Information Commissioner has had to issue enforcement notices and warnings to various health trusts. Just last month, after a computer containing patient details was stolen from a hospital, Salford Royal NHS Foundation Trust had to promise to make sure computers are placed in restricted areas and secured to desks, and to encrypt laptops. The assistant information commissioner, Mick Gorrill, said he was “increasingly concerned about the way some NHS organisations are failing to securely hold people’s health and personal information”.

Sanderson says there is plenty of anecdotal evidence to suggest that all is not quite as it should be: “There are many NHS organisations that may not be as aware of the problems and the pitfalls and the risks as we are.” As she explains it, the situation of those handling data at the coalface – the doctors, nurses and administrators whose focus is treating patients, and for whom data is a by-product – is quite different from that of the people whose sole responsibility it is to manipulate that data.

“They are in a different environment,” says Sanderson. “We all have to balance risk against getting business done and, clearly, getting business done for them is about treating patients; that has to be at the forefront of everything they do. They have a slightly different set of risk equations to look at, I guess.”

With such a lot of expertise under the Information Centre’s roof, it is no surprise that it is working with Connecting for Health – responsible for the multi-billion-pound computer upgrade currently being carried out by the NHS – on bringing together all the relevant data-handling standards and best practice examples. “Good practice is all over the place, but it is terribly inaccessible; it takes ages to find it,” says Sanderson. “I’m a great believer in sharing best practice – apart from anything else, if you don’t, you end up with everyone reinventing the wheel. What a useless waste of time – and, worse than that, you will have some square wheels.”

One major repercussion of HMRC’s data loss was the damaging effect it had on public confidence in the government’s ability to keep data safe – an impact that has affected several large-scale projects such as identity cards, the DNA database, the child safety Contact Point system and, within the Health Service, electronic patient records. When NHS chief executive David Nicholson revealed, post-HMRC, that more than 160,000 patient records had been lost within the NHS, he was at pains to emphasise that the security on the new records system will be “very high”.

Sanderson’s team has been involved in the development of the smart card access systems that will be used to ensure that only the right people have access to patient data on the new records system. Media scare stories have focused on the risks of lost smart cards and included stories of staff sharing log-ins to save time and make their lives easier, but Sanderson dismisses the idea that such reports constitute a “problem”, preferring to describe it as a “very complicated challenge” to make sure the right roles have the right access and functionality.

With any new system, says Sanderson, the important thing is to design it with information governance in mind. “It’s far easier to do it from the start and plan it as you go than put it on top after you have developed the service,” she points out. Whatever the quality of technology, process or management, the real cause of most data breaches is human error, and Sanderson emphasises that individual members of staff have to take responsibility for keeping data safe – on pain of serious disciplinary action. “People have really got to understand that,” she says sternly. “There have been a number of disclosures of information in the NHS and elsewhere recently that have resulted in people being disciplined.”

Sanderson tells me that staff around the office know her face very well, because she spends so much of her time drilling them on the importance of handling data safely. “I’m not joking when I say it is in my staff’s best interests to listen to what I’m saying,” she says. “It’s not just about me protecting the organisation; it is about me protecting the individuals who work here as well.” ?