'Sooner or later the NHS will be caught up in a major scandal involving records'

The speed at which businesses, the government and the public sector are developing electronic record systems is starting to gather pace.

The arguments in favour of new systems are, by now, well rehearsed. As far as the NHS is concerned, they include the idea that electronic records should support safer care, increase efficiency, promote team working and deliver more security, accessibility and convenience for patients.

However, information commissioner Richard Thomas' latest annual report suggests many organisations are finding some of these kinds of argument more compelling than others.

Taken as a whole, it suggests that while many bodies are happy to embrace the increased information sharing, surveillance and targeting that new systems make possible, they are less committed to security and positively ambivalent about openness.

I fear the NHS is following the general trend. It is undoubtedly in the vanguard of what an earlier report, Surveillance Society, defined as a world in which technology is routinely used to track and record people's activities.

This is not only because it is developing its own care records. It is also because its data tends to be drawn into other projects, such as the children's database and because it is enthusiastic about using electronic systems to target services on people and monitor their impact. The algorithm to spot patients at 'high risk' of hospital admission is a case in point.

The problem is that there are few opportunities to debate what such systems can legitimately be used for - and even fewer checks on function creep.

As Mr Thomas notes: 'The benefits of using personal information are undeniable. 'But so are the risks for individuals and society where use goes beyond reasonable expectations or where things go wrong. [And] the risks - such as mistaken identity, judgemental profiling - magnify as information is shared ever wider.'

Sooner or later, it is certain the NHS will be caught up in a major scandal involving records, databases or targeting. Questions will be asked about how such systems could have been put in place and there will be reviews and resignations, which is why Mr Thomas argues that the best defences we have now against such abuses are data protection and the self interest of organisations with reputations to lose. Unfortunately, other parts of the report suggest these are not much of a defence.

Only one of the incidents it describes is related to the NHS but since every NHS IT manager has a fund of stories about staff taping passwords to computers or carrying patient notes around on USB sticks and MP3 players, any of them could be. These kinds of breaches, and the social engineering lapses covered in another report, Illegal Trade in Personal Information, happen despite the reputational damage that inevitably occurs when news of them gets out.

Nevertheless, organisations are still willing to plead confidentiality when their interests are at stake. Mr Thomas' report contains the usual list of bodies - including an NHS trust - that were only too willing to hang on to information that should have been released under the Freedom of Information Act.

Unusually, the information commissioner addresses ministers, permanent secretaries, chairs and chief executives directly in the year's report. They must ensure their organisations 'exercise the necessary self-restraint' as they help to create a surveillance society and who must 'ensure that their organisations guarantee safeguards'.

This is an important message, but at the moment we are in for years of stories about database application and security scandals. managers might like to reflect on Mr Thomas' point that it won't be much fun to be caught up in them and take steps that will leave colleagues and me writing about something else.

www.ico.gov.uk