Information Governance review: executive summary

4. What did the review find?

4.1 Main conclusions

4.1.1 The IG landscape in Scotland requires more maturity

The current IG landscape in Scotland is fragmented. This means it lacks the consistency to ensure efficient scrutiny and delivery of health and social care digital solutions, and effective access to, and sharing of, data assets.

The ARMA IG Maturity Index offers a source for benchmarking the NHS Scotland IG landscape and the current National IG Programme. Ratings against this Index show that of the seven IG areas identified by ARMA, authorities, capabilities and infrastructure are the most mature.

IG Maturity can be improved over time using the Scottish Approach to Service Design.

4.1.2 Policies, procedures and processes are inconsistent across the IG landscape.

An IG locus exists in both government and health and care settings, but the IG landscape is significantly complicated.

It is difficult to visualise and manage risk at both local and national level due to inconsistencies in the approaches across organisations. The existing federated IG model in Scotland, with high levels of local autonomy, has led to less standardisation and integration and higher costs. The results are:

• varying interpretation of regulatory frameworks and risk appetites;
• increased synergies through regional clusters, localities and relationships established during the COVID-19 pandemic;
• complex and dynamic data-control relationships; and
• scattered, inconsistent and erratic decision-making routes.

Complicated transparency arrangements make it a virtually impossible task for the general public to engage with IG in health and social care.

Some common IG roles exist across health and care organisations, but there is a need to harmonise the scope of key roles' functions and responsibilities, training and continuing professional development activity, professionalise the IG world and empower people to manage information risk better.

Inconsistencies in policies, procedures and processes across the IG landscape are resulting in frustrations around cross-boundary work.

As part of the IG Review, the NHS Scotland International Engagement Team set up a Five Nations IG Collaboration Group (involving participants from England, Wales, the Republic of Ireland, Northern Ireland and Scotland) to compare and contrast key areas of the IG landscape. All nations have a series of IG structures covering strategic direction, advisory, operational and monitoring functions, but they seem to have highly complex IG landscapes.

IG operations (in areas such as privacy, transparency and ethics) are scattered across a range of different data controllers (Box 3). There are many IG tools, but they can be unfocused, inconsistent, inefficient and insufficient. This inherent complexity results in:

• a fractured and inconsistent route to data;
• missed opportunities for greater interoperability and resilience of information systems; and
• a lack of transparency.

In turn, these difficulties raise the level of overall information risks in the system. They make it difficult to have visibility and manage potentially negative impacts, and lead to missed opportunities for the positive use of data and digital technologies.

Box 3. What are data controllers?

Data protection legislation in the UK defines who is (or becomes de-facto) data controller and data processor. The data controller (such as a health board or a general practice) makes decisions over the "purpose and means" – "why" and "how" the data is processed. Data processors act on behalf and under instruction of a data controller (the level of direction required is not evident within current legislation)^[2]. These are functional concepts, in that they aim to allocate responsibilities according to the actual roles of the parties.

Assessing the existence of joint participation and convergence in the decision-making process is becoming crucial in complex IG settings, such as health and care in Scotland.

4.1.3 Scotland's response to COVID-19 has accelerated IG transformation

More responsive, user-centred services that cover a spectrum of needs are now being developed, primarily in response to the COVID-19 pandemic. The digital and data solutions delivered during COVID-19 have followed the stages set out in an extremely condensed and rapid fashion.

Culture and behaviour, however, remain significant barriers to change. COVID-19 nevertheless has accelerated the digital transformation of health and care and the IG way of working across NHS Scotland and potentially social care. Models used for the COVID-19 pandemic, such as the Data and Intelligence Network (Box 4), ways of scaling up and rapidly delivering telehealth and telecare solutions, and participatory governance used for programmes such as vaccinations (Box 5), should be expanded to other areas.

Box 4. What is the COVID-19 Data and Intelligence Network?

The Scottish Government set up the COVID-19 Data and Intelligence Network to minimise the spread of COVID-19 in Scotland by quickly identifying COVID-19 resurgence, clusters and outbreaks, and detecting co-circulation with winter respiratory viruses. Its remit is to protect vulnerable populations, evaluate the impact of COVID-19 on health, care and society and extend the vision to the National Performance Framework. The COVID-19 Data and Intelligence Network includes local and national health bodies, local government, central government, skills and enterprise agencies, Scottish academia and civil society organisations.

Box 5. IG within the Vaccinations Programme.

A multi-layer governance system was set up for various programmes of work, with the involvement of representatives of data controllers and other key stakeholders across health and care. Decisions over data and information systems converge through joint participation at strategic, tactical and operational levels.