In the wake of the missing Revenue and Customs data, Sefton PCT found itself at the centre of a data security scandal. Ingrid Torjesen finds out how to handle a crisis
As the Treasury was fending off flak over two computer disks containing the personal data of 25 million people that had gone missing from HM Revenue and Customs last November, Sefton primary care trust found itself plunged into a data security crisis of its own.
By mistake the PCT had sent the personal details of its staff to four companies bidding for sexual health services. Three NHS organisations and a not-for-profit body had been given the names, dates of birth, national insurance numbers, salaries and pension details of the PCT's 1,800 employees.
While the data was not lost - and did not include addresses or bank details - and the incident affected far fewer than the Treasury scandal, the timing could not have been worse. The press's appetite for data protection slip-ups was insatiable and journalists were scouring the country for a fresh lapse. It would only be a matter of time before they found out about Sefton.
The media storm hit 10 days after the incident. On learning of the breach PCT chief executive Leigh Griffin contacted the companies involved and sought assurances that the data had been destroyed. He had written to staff to apologise and reassure them, advising them to change their passwords or contact a line manager if they had any additional concerns. He had also kept union reps well informed.
Anticipating significant press interest, one of the unions, Unite, issued a press release and without warning the PCT was deluged with 25 enquires in three to four hours. Mr Griffin says: "Every media enquiry I fronted personally and I tried to get back to every enquiry within half an hour and agreed to every interview."
Mr Griffin admits he was not "always comfortable" in these interviews, but sees managing the reputation of the PCT and the wider NHS as an important part of the chief executive's role. After dealing with the immediate media onslaught Mr Griffin wrote to local MPs, lead councillors and the local authority to reassure them that the incident they would have read about in the press had been dealt with properly.
Like many organisations, Sefton PCT did not have a formal crisis management plan - although this has now been rectified - so Mr Griffin followed his gut instinct.
"The principle I work on is when anything like this happens you front it up and you do it openly and honestly," he says. "Obviously I deeply regret the incident happening but once it had I think we handled it well and we handled the media well because we did it promptly and openly. I think I gave some personal leadership to that. It is important that the chief executive is seen on these instances.
"One or two people have said to me, 'perhaps if you had kept the incident quiet in the first place and had never told your staff about it, the media would never have been aware of it'. I think that compromises our values base, quite frankly. In an incident such as this where staff details have been released I have a human duty to my staff to tell them."
Chartered Institute of Public Relations president Elisabeth Lewis-Jones says Mr Griffin followed the right approach because the public wants and expects organisations to act responsibly in a crisis.
"If you go forward and put your hands up and say, 'guys we got something wrong but this is what we are going to do about it', they are more likely to believe you and trust you and have far more loyalty in the long run than are if you try to hide it away or pretend that nothing has happened."
Ms Lewis-Jones emphasises: "It is very important to have a crisis management plan because at least it gives you time to think about situations and communication without actually being in a situation when people might not have the time to think."
A crisis management plan should map out all stakeholders - public, staff, MPs, councillors, partner organisations - and then consider the best way to reach each one. This might be via the website, a statement to the press, physically writing to them, emailing them or sending out an e-bulletin. Ms Lewis-Jones also recommends a parent body or partner organisation endorses messages where possible to give "third party credibility".
Although the strategic health authority was notified of the data breach through the formal channels when the incident occurred, Mr Griffin says with hindsight he would certainly telephone the chief executive directly if there were ever "any risk of anything causing a bit of media noise". "When Unite put the press release out and all hell broke loose the SHA chief executive had not picked it up through the normal channels."
A week-long internal investigation found the incident had been caused by human error. A valued member of staff, working long hours to meet tight deadlines, had extracted data from a spreadsheet, closed the document they were working on and sent it with the link to the spreadsheet still there.
"In this instance I was not going to hang them out to dry," Mr Griffin says. "But it was important that we learned from the pressure that people are put under and also learned around the discipline people apply on a routine basis whenever they use data."
The PCT also carried out a detailed root-cause analysis on the incident, which took into account data protection issues raised by other high-profile incidents that have occurred elsewhere recently, such as the need for a greater emphasis on encryption and the particular risks of laptops, flash memory sticks and community staff who necessarily travel with patient data.
"We have looked at our systems, our communications, how quickly we responded," Mr Griffin says. "On the back of that we have done some specifics, we have strengthened training, we have strengthened awareness [of data protection] and extended an information audit of our systems."
"Within the organisation it has acted as a useful reminder of the value of media training, a good communications infrastructure and the value of reputation management as well as the importance of information governance."