Category Archives: data protection

Are councillors in Somerset ignoring the wisdom of their auditors?

By Tony Collins

It’s good to see auditors in local government doing their job well  – not accepting verbal assurances and seeking proof that all is well with an outsourced system .

But what if councillors apply a lower standard – and accept verbal assurances without checking them?

A  strong report by the South West Audit Partnership [SWAP] went to councillors at Somerset County Council’s Audit Committee on 2 July 2015. The report was about problems with an outsourced system, the Adults Integrated Solution [AIS].

Although not the original supplier, IBM has provided AIS to Somerset County Council under a 10-year outsourcing contract/joint venture – Southwest One –  that was signed in 2007.

The SWAP report said limited progress has been made in implementing the AIS-related recommendations from its 2012-2013 audit report. It added that:

– AIS performance and response times could be “less than adequate for users’ needs”.

– Southwest One was unwilling to develop a service level agreement specifically for the AIS application.

– “Poor response time has led to the disabling of enhanced audit trails/logs that would make it possible to trace and attribute user activity in the system.” SWAP added that this was “worrying” given that the data involved was “sensitive and personal”.

– SWAP had been refused access to the contract between IBM and Northgate, the original supplier of AIS.

Are verbal assurances worth anything?

Having studied AIS from time to time over 2 years, and spoken to its users, SWAP’s auditors have been reluctant, on some of their concerns, to accept verbal assurances that all is well.

When they have sought documentary evidence to support assurances it hasn’t always been forthcoming.

SWAP said in its latest report:

“Verbal assurances were provided that the ToR for AIS Programme Board had been reviewed and that roles and responsibilities in relation to system ownership had been clarified. However, no evidence was provided to support these assurances.”

Now Somerset’s audit committee has done what its auditors wouldn’t do and has accepted verbal assurances that all is well with AIS.

SWAP’s auditors had expressed a multitude of concerns about AIS. But Somerset’s officers verbally assured audit committee councillors that a single upgrade had solved all the problems.

One officer, in a statement, told Dave Orr, a Somerset resident who campaigns for openness over IBM’s relationship with the council:

“I can confirm that all of the fundamental issues raised through the [SWAP] Audit Report [on AIS] have now been addressed…

“The AIS application is one of the top systems used by local authorities for social care services in the UK. The performance issues referred to in the Audit Report were resolved by a system upgrade.”

Comment:

It’s difficult if not impossible to see how a single upgrade could address all the points SWAP made – such as the lack of a service level agreement to cover AIS or the refusal by IBM to supply a copy of its contract with Northgate.

Whenever auditors produce a hard-hitting report there will be 2 opposing sides: defenders of what’s being criticised and the auditors.

It is up to the auditors to cut through any dissimulation, obfuscation and prevarication to identify what’s going well, what isn’t, and what the uncertainties and risks are.

Auditors would not be doing their job if they always accepted verbal assurances at face value.

But what if auditors are undermined by councillors who readily accept verbal assurances from their officers who wish to defend the suppliers?

A supplier that doesn’t have to provide documentary evidence can say anything in defence of its systems and the quality of service.

Somerset’s councillors are lucky to have auditors as independently-minded as SWAP.

It’s unlikely that SWAP would accept at face value the Somerset officer’s suggestion that because AIS is widely used it’s unlikely to be a poor system.

This would be like Ford saying a particular Mondeo is unlikely to be at fault because thousands of people happily own one.

Every IT installation is different, even if the main software package is widely used. The hardware, network configuration, load on the network, facilities and interfaces installed will render every IT installation unique.

It’s conceivable that every council client of AIS could have a trouble-free service except Somerset.

Are the council’s audit committee councillors gullible to accept verbal assurances about the problems with AIS being solved without requiring proof?

Where does this leave the 775 users of Somerset’s AIS, many of whom may be having to do difficult work in managing vulnerable adults while trying to cope with what may be one of the UK’s worst outsourced systems?

Thank you to Dave Orr for providing information that made this post possible.

Pity the 775 users who use this outsourced council system?

SWAP report on AIS for Somerset County Council’s Audit Committee 2 July 2015

SWAP 2012-2013 audit report on AIS

 

 

Advertisements

If an insurer wants your medical records should your GP say no?

By Tony Collins

Pulse reports that the Information Commissioner’s Office is to put questions to Aviva after learning that it has been requesting patients’ full GP records to underwrite some insurance policies.

An ICO spokesperson told Pulse it would be contacting insurer Aviva to ‘understand more’ about their use ‘subject access requests’ for collecting medical information on patients and ‘how these accord with the [Data Protection] Act’.

Aviva confirmed to Pulse that it has been using the method – with customer consent – for almost 12 months.

In a response to the article, an anonymous GP publishes his practice’s standard reply to such questions from insurers:

“Thank you for your medical records subject access request.  We formally decline to undertake this.

“We draw your attention to paragraph “2.12 Access to patient records from insurers and mortgage providers” on page 112 of the ‘Information Governance Review: To Share or Not to Share’ published in March 2013.

“The Panel also heard concerns that insurers and mortgage lenders may seek to use their influence to request whole records from GPs, as a condition of supplying insurance or a mortgage.

“The General Medical Council has issued specific guidance for GPs112 and the British Medical Association and the Association of British Insurers (ABI) have produced joint guidelines 113 to allow relevant data about patients to be shared appropriately with insurers on a basis of explicit, written consent.

“In addition, principle 3 of the Data Protection Act 114 offers further safeguards as it allows organisations to hold only ‘adequate, relevant and not excessive’ personal data about an individual.

“This means insurers and mortgage lenders cannot hold more information about an individual than they need. The act also requires organisations to identify in advance and then request only the minimum amount of data needed for a particular purpose.

“The Review Panel concluded that these guidelines, combined with the safeguards offered by the Data Protection Act offer sufficient to prevent inappropriate sharing of whole records with insurers and mortgage lenders.

“We suggest that you apply for a PMA report in the normal way.  Alternatively the patient may apply for a copy of their records having made a pre payment of £50 to the practice and is at liberty to send you any or all of their medical records.

“We cannot guarantee that the patient may withhold part of their medical record. You have a duty not to hold any more information than you require.

“I would like to advise that I believe you to be in breach of the DPA, in particular paras 112, 113 and 114 of the Information Governance Review. If we receive another similar request from your company we will be compelled to report the matter to the Information Commissioner.”