Configuración de la imagen cliente

Issues with policies do not solely exist within the internal context of organisations.

Corporate policies are vulnerable to legislative changes requiring compliance (Orna, 2008). Legislation and national policy relevant to information society issues, amongst which is information security, is referred to as information policy.

According to Orna (2008), governments of all kinds encounter problems in the field of national information policy, caused by power relations, the nature of information itself and economic decisions. Orna states that information policies tend to focus on isolated

topics such as copyright, intellectual property, data protection, or digital inclusion. This fragmentation has left some questions unanswered and new technological developments have raised additional issues.

An analysis of information policymaking in the United Kingdom by Buckley Owen, Cooke, & Matthews (2012) found that the government has no appetite for further bureaucracy and for a single information policy. The researchers interviewed policymakers at the highest level of responsibility. If was found from the interviews that there is no requirement for a national information policy, but instead there is the desire for a greater degree of coordination between policies to ensure that they do not conflict.

Meanwhile, the opponents of information policy state that information policy may have an unintended negative effect on IT innovation and research (Kaiser, 2006; McGowan et al., 2012; Ness, 2007). For instance, existing long-running research into trends and developments of diseases in a certain population is now obstructed by new data protection legislation that does not allow the researchers to continue to analyse the data they have been using for many years. Ness (2007) found in his survey amongst clinical scientists that privacy rules were adding uncertainty, costs and delay to health research and that this makes research more difficult.

It has been suggested that the essence of political and social democracy is at stake without normative information policy (Duff, 2008, 2012). An example is the digital divide between the information rich and information poor, caused not only by the geographical spread of available communication technologies, but also by the socio-economic status of social groups and individuals. Duff argues that policy must address these social structures as well.

Information policy cuts through sectors such as health, environment, or education. In this respect, the current state of information policies within organisations and businesses is directly influenced by the state of the public or national information policy. In contrast to the inter-sectorial character of information policy, the Department of Health published a sector specific information policy for health and social care in 2012. The policy applies to England and sets out the ambitions to realise the potential benefits of information to improve health and care. The policy states that by 2015, it should be normal for patients to have online access to their health and care services records and personalised information to improve their health. Individuals will be able to take part in decisions about their care in a partnership with professionals. Care records will become

the source for all services and to inform research. Confidentiality and security of personal data are promised throughout the policy:

NHS and other care services will share the information about me with all those who need to look after me (with my appropriate consent), will protect my data and respect my confidentiality (p. 14, point 1.9).

Background data about us which can be used to improve our own care – and which, when held securely and with appropriate confidentiality safeguards in place, […] will, wherever possible, be recorded once within our care records and shared across our care (p. 77, point 5.11).

We have a right to use your data, and a corresponding responsibility to […] take all reasonable steps to protect your confidentiality (p. 84, point 5.39).

The report does not explain how the confidentiality and security will be approached or what the exact rules are. Confidentiality is related only to sharing data amongst and between health and care providers. The report promotes less bureaucracy in that respect:

Concerns over security and privacy issues […] can lead to a culture that is overly risk averse and reluctant to share information at all, even where it would improve our care. The NHS Future Forum work has heard the clear message that not sharing information has the potential to do more harm than sharing it (p. 32, point 3.9).

The trend for more open records appears to be international, since Brussels is also consulting on its new Data Protection Regulations, which are built on the utilitarian principle of the greatest benefit for the greatest number (Wyatt, 2012). The UK government is furthermore promoting the idea of Open Data; to have data accessible, without limitations based on user identity or intent and free of restrictions on use or redistribution (Cabinet Office, 2012).

The current state of this information policy does not give grounds for organisations to implement an information security policy and to reach a state of compliance. The tendency to less bureaucracy and the focus on confidentiality only (and ignoring other information goals such as availability and integrity), does not help to improve the difficulties with organisational information security policy. The national policy does not articulate any clear answers or responsibilities for security issues. In fact, it is stated that when data protection and related issues get complicated, “there will be consultation with the Information Commissioner” (p.102), shifting the responsibility and final decision making entirely towards the hands of the Information Commissioner.

Furthermore, the policy implies that in the end, the quality of care and the success of the policy is the responsibility of the patient and service users themselves:

Success will also rely on us as citizens and services users demanding better quality information, greater transparency, conveniences and experiences that meet our expectations of a 21^st century health and care system (p. 15, point 1.18).

The policy does not further explore how citizens are supported to express their demands and what these expectations are.

The Department of Health expects that local health and social care organisations ensure they have appropriate systems in place to use and manage information. Details on how to protect the security of health and care data are not provided and for further support the document refers to the NHS Information Governance toolkit website, which contains examples of how local NHS organisations implemented policies and procedures.

Other types of important information which should fall in the scope of information security and thus in the scope of information policy are not mentioned in the policy.

These types of information include: employee records; intellectual property; software licences; financial data; press releases under embargo; information regarding criminal investigations; and so on. Furthermore, Scotland, Northern Ireland and Wales are not in scope of the Department’s information policy, and they have not published a specific integrated strategy for health information.