Tuesday, May 22, 2007

NHS Spine to be MTAS all over again?

I'm currently in a bit of shock. Yesterday, Oliver Helad MP asked the Secretary of State for Health, "whether a privacy impact assessment (a) has been produced and (b) is planned for the NHS spine project." In an amazing moment of honesty, Carline Flint said, "No. We do not believe that such an assessment would serve any useful purpose at this stage of the project".

This is truly bizarre, given the complete and total failure of the MTAS system on grounds of security and information breach, you'd think that they'd learn wouldn't you? Now some people might see the statement and says "ahh but she says 'at this stage of the project'" thus implying that such an assessment will be made in the future.

Security and privacy is however something that should be considered at all steps of a development life cycle, something which Caroline Flint seems to acknowledge but then dismiss when she says,
The aim of a privacy impact assessment is to ensure that privacy is considered at every stage of a project involving the handling of information, and that action is taken to mitigate against identified risks to the privacy of individuals. While this is clearly a useful tool for many projects where these matters might otherwise be neglected, the need to safeguard privacy and confidentiality is a necessary deliverable of any health record system, and the management of risk in this area has been a core deliverable of the national health service care records service.
Making security and privacy a necessary deliverable is not a replacement for carrying out regular security impact assessment of changes. For a start, a non-operational development environment will invariably be radically different to a production one. Without full security and privacy reviews at regular steps on a large-scale projects you are increasing the risk of being presented with an information security fait accompli on delivery.

The Spine project is already one of the biggest disasters in IT project history, yet for some reason the Government just never seems to admit it.

3 comments:

Old BE said...

Isn't security usually worked out first, not bolted on later?

Anonymous said...

Between this revelation and last month's dismissal by Granger of people like myself as "privacy fascists", it's plain to see they don't give a toss.

Anyone reading this ought to make sure their personal details don't get anywhere near this abomination.

purplepangolin said...

My boss is leaving to take up a (fairly senior) role on this project. Having seen what has happened here I think there is a fair chance that it will be another MTAS.