Whistleblower raises alarm over UK Nursing and Midwifery Council's DB The UK Information Commissioner's Office has received a complaint detailing the mismanagement of personal data at the Nursing and Midwifery Council (NMC), the regulator that oversees worker registration. Employment as a nurse or midwife depends on enrolment with the NMC in the UK. According to whistleblower evidence seen by …
So their "high quality data" has non numeric stuff in a column that should be a unique 10 digit number and the CIO thinks the way to fix this is to enable the analyzing and reporting tools to work with incosistent data?
If that is really true the first thing to do is getting a competent CIO.
Yeah, but that crummy data in the analytics has to come from somewhere. In practice, it's often because in a data warehouse you're joining stuff from many different source systems, where the same (supposedly) thing is stored in different formats. But in this case, it sounds like this "data warehouse" gets data from pretty much only this one system, so... Where does the crap come from, if not from that?
This sounds like the friend of someone senior said "I can do that" when discussing a medical registration system and they promptly got the gig on an outsource-to-the-boys adventure. Outright dumb-fuckery then ensued as they endeavoured to create said system. A few corporate hangers-on were subsequently employed along the way to offer a veneer of substance.
As for "For clarity, the register of all our nurses, midwives and nursing practitioners is held within Dynamics 365 which is our system of record," the spinner continued. "This solution and the data held within it, is secure and well documented. It does not rely on any SQL database. The SQL database referenced by the whistleblower relates to our data warehouse which we are in the process of modernizing as previously shared."
If it doesn't rely on a SQL database but you make use of a data warehouse which is SQL then YOU rely on a SQL database. So, technically correct but utterly wrong. If that doesn't have the same levels of governance and security then what the primary system has is somewhat moot given you are obviously stuffing that data into it.
"Despite having been warned of the issues of basic technical practice internally, the NMC failed to acknowledge the problems. Only after exhausting other avenues did the whistleblower raise concern externally with the ICO and The Register."
"After exhausting other avenues", means that the NMC know who the whistleblower is (or at least within a small group of people). This is unfortunate when it comes to redundancy time. "Trouble makers out first".
I'd guess they've already left, certainly if they've any sense.
I've worked for quite a few different organisations, and been a long term observer of organisational behaviour, and one consistent aspect of corporate personality is pig-headedness. Any idea from the top and it's a case of Emperor's New Clothes, everybody praises the idea and hitches their cart to it. Anything from within the bowels of the organisation that's seeking to improve systems and processes will be ignored, and criticism fobbed off, and failings rationalised and kicked into the long grass. Moreover, anybody who doesn't take the corporate "no" for an answer will be designated a troublemaker, their career blighted.
This, exactly this. It's the same for so many other professions now. Teachers, police, social work, politics, even trades and engineering to some extent. Make the smallest mistake or cause political trouble for someone powerful and you can be banned, years of training down the drain. And then they wonder why they can't recruit anybody into these professions. All the honest people are leaving, and the only ones staying are the psychopaths who can put on all of the Machiavellian masks to cover up their own failings and gaslight others to keep themselves from being reported.
Frankly I'd rather be treated by a doctor or nurse who had been struck off, than not be treated at all.
Of course, there are some cases like Wayne Couzens et al where they should never have been allowed to do the job in the first place, but a system that simply waits for those people to do something awful is not sufficient, and it actually encourages that sort of psychopath because they enjoy the feeling of getting away with it.
Also, the idea that a nurse should need a degree is ridiculous..
"the idea that a nurse should need a degree is ridiculous"
In the UK at least, the training for nurses was originally on the job1. After passing initial selection based on background enquiries and interviews, there was some practical training but you primarily started as a probationer emptying bed pans and cleaning floors, then progressed through "state enrolled" to "state registered" under the eagle eye and draconian guidance of Matron. If nothing else, such training ensured that the principle of selfless service dominated the culture. But in those days, the scope of a nurse's responsibility was strictly constrained. These days, alongside "physician associates", nurses are often required to carry out duties that were previously in the domain of doctors, so they are expected to have formal "qualifications" to inspire confidence.
But it's also about grade inflation. The degree is the new A-level (senior high school exam), so anyone without it is deemed to be illiterate, innumerate and dumb as an ox. That's mistaken of course, but 'qualifications' are the yardstick for employment. They take precedence over all other candidate information among the HR wonks that don't want to be called to account when an employee proves to be a duffer.
I remember when the UK ordinary degree was three years and 'honours' required an extra year of study. Then all three year degrees became designated 'honours' and the only 'ordinary' degree was a marginal pass. Next, the first year ceased to be marked towards the award and became instead a kind of 'induction year'. A couple of decades back around 15% got awarded a 1st class degree. These days it's around 40%. But I really doubt that either the students are almost three times smarter or the lecturers equivalently better.
1: See "The Feminine Touch", Ealing Studios 1956.
.
"In the UK at least, the training for nurses was originally on the job"
The advent of degree nursing was the death knell for the old system - curiously you can't blame the Tories for this one - all part of that twat Blair's belief that everybody needed a degree. It also meant that instead of doing a lot of the lower value jobs as they trained, whilst getting subsidised accommodation and a very low salary, nurses started their career with £30k plus of debt to the banks and no practical experience. A triumph of liberal socialism in every way.
My wife trained as a nurse under the old system and although they might be washing floors and making beds, they'd also VERY quickly be doing proper nursing jobs - she joined at 17, and within a couple of months was having to do things like "Last Offices" on patients who'd died, changing dressings, checking prescriptions before dispensing written up scripts, routinely dealing with confused or disturbed patients, dealing with patients in chromic pain or dying, with their relatives. At the same age I was starting university and years away from making any contribution to the economy, or doing anything socially worthwhile.
Yes, my Pharmacist wife is training (mostly outside of work time) to allow her to prescribe a range of treatments for relatively minor things to take the weight off the doctors.
Many Nurses in Doctors Surgeries already have the qualifications to prescribe a range of treatments.
My small, rural Surgery even has a Physiotherapist available 1 day a week to deal with the minor 'tweeks' up to quite complex things.
My Dr. daughter also points out that a good 80% of the patients they see in a week are the very repetitive 5% who have either complex and multitude health issues, or are the mental health cases that Secondary care refuse to take on. (And mental health have to be seen that day on top of the normal list, and will never be the standard 6 minute consultation! So they frustrate other patients who are waiting, as well as the staff, who unlike Secondary care can "only apply a sticking plaster, and not resolve the root cause".)
under the eagle eye and draconian guidance of Matron
Played to a tee by Hattie Jacques, as Matron
This post has been deleted by its author
"I’m guessing that some patients like to know this information."
But it's none of the patients business. If you're receiving care then the lifestyle and characteristics of care givers should not matter. When I've had relatives in hospital I've been grateful for the care that nurses and HCAs have provided, and for the porters, cleaners and other support staff. Their gender, sexuality, ethnicity and such like are none of my business, although the NMC do have reasonable grounds to wish to ask those questions as other posters have noted.
Note: My wife has a current registration with the NMC, I don't believe this has any bearing on my views on this matter.
Leaving aside possible GDPR implications, diversity monitoring. Given the difficulty in recruiting nurses you want to be sure the number of reasons limiting recruits aren't more than the pay and conditions on offer.
Personally I'd be reasonably certain that a comparison of sexual orientation diversity in nurses vs the average population would actually show the numbers of non straight nurses are higher than average, but you don't know how well you're doing if you don't measure it.
"Given the difficulty in recruiting nurses you want to be sure the number of reasons limiting recruits aren't more than the pay and conditions on offer."
So the offer should be made without asking questions other than qualifications although those will include the checks on barring or whatever the term is now.
"but you don't know how well you're doing if you don't measure it."
And if it's not your business to know you won't need to measure it.
The underlying problem here is the busybodies and professional umbrage takers who make it their business to know, probably because it's an easier gig than getting nursing or any other useful qualifications.
I feel you're misunderstanding. You're not providing the opportunity to make an offer based on a protected characteristic of the nurse. Whilst there are possible reasons for the NMC to store the information, anyone requesting if the nurse has a valid registration shouldn't be provided with that data.
If the nurses registered doesn't provide a reasonable match to the distribution of the general population, it's worth asking why.
If the nurses registered doesn't provide a reasonable match to the distribution of the general population, it's worth asking why.
No, it really isn't. That's the same retarded thinking that gives us corporate environments where "why aren't 50% of the people in <role predominantly staffed by one gender because the other isn't that interested> <opposite gender>?" questions are asked and subsequent biased hiring practices to "level the field" undertaken.
Just because there's a 50/50 split (or whatever ratio) of women to men in society doesn't mean that will carry through to representation in different jobs. FFS.
Any job with a reasonably large number of people doing it should have a relatively similar distribution of "protected characteristics" to the general population.
If it does not, then there is bias that needs an explanation.
The only way to detect if some manager is refusing to hire people with ginger hair is to monitor how many people with ginger hair have applied and how many have been hired.
This is the data warehouse, so its probably meant to be for anonymous tracking of diversity from that form that is separate to your registration as an employee or as a member of a professional body, or something like that. Given the description of failing to implement data governance of any kind let alone of a satisfactory kind, I'm not sure it's possible to be sure that the details remain private from bosses... in the way usually guaranteed to voluntary respondents on those forms and required by law.
@ArrZarr
"Oh excellent. Somehow I just knew that this is another subject you'd have an awful opinion on.
Why do you feel that people should just be miserable all the time?"
What is your confusion? What awful opinion and who do I think should be miserable? Did you reply to the correct comment?
There's rather more than three possible chromosome options - even before considering epigenetics, injury and social expression, which are now know to be at least as important.
XX, XY, XXX, XXY, XX with a variety of "male" genes, XY but missing "male: genes are all fairly common - and have a variety of different expressions.
Tutors don't ask students to look at their own chromosomes because that's not a great place to discover they have trisomy X.
The more you look into the science, the more boxes you discover.
Anyone who insists there's "only two genders" has genuinely no idea what they're talking about. It's a lie told to children - and a harmful one, at that.
Very true but we're now into the realms of clinical data and not "administrative gender" which is the terminology I see more and more these days.
Ultimately it's a question of why are you recording this data in the first place (and as has been discussed at length it's likely for E&D purposes) and since this is currently a question with apparently no right answers that'll satisfy everybody it gets back to the old "the only winning move is not to play".
"The databases have no version control systems. Important fields for identifying individuals were used inconsistently – for example, containing junk data, test data, or null data ..."
Sounds like just about every corporate database I've ever been asked to merge, convert, transfer, etc.
"Well not all our customers have a VAT number, so we use that field for their nickname. If they do have a VAT number then we put that in the Fax field, as we don't want to confuse anyone ..."
product manager> All the fields in the form are required.
researcher> But the users won't have all the needed information. Some of it will only come later.
product manager> They should fill the form once they have all the information.
researcher> Some information can only be obtained once the form is filled and reference number given to customer.
product manager> We have clear specification from the stakeholders that all the information is required.
researcher> Yes, it is required, but not all at the same time.
produce manager> Then users should fill the form once they have all the information.
researcher> They can't fill the form with all the information, because they need the reference number.
product manager> That's not our problem. The stakeholders want every field filled, and we're going to make sure that happens.
researcher> Yes, but it's required sequentially, not all upfront. If they can't get a reference number first, they can't complete the form correctly.
product manager> They'll just have to find a way to get all the information before submitting. Our system won't accommodate piecemeal data entry.
researcher> This will lead to users either waiting indefinitely to submit or submitting incorrect information just to get a reference number.
product manager> If they choose to submit incorrect information, that's on them. We've made the requirements clear.
researcher> This approach is likely to result in bad data in the product database, affecting service quality and reliability.
product manager> Why are you being difficult?
researcher> I am just trying to make you aware of the potential issues that could harm the user experience and our data integrity.
product manager> In other words are you suggesting that stakeholders don't know what they are doing? Is this what you are saying?
researcher> Not at all. I'm suggesting that there might be aspects of the user interaction and data flow that haven't been fully considered.
product manager> The stakeholders have considered everything. Your job is to follow instructions, not to question them.
The amount of times I've seen this in the workplace. Where crap data has been put in so usually sales can get to the next step is truly amazing. Then they wonder why the AR team can't collect the money when there is no phone number and the address has been lifted off companies house or it's a branch office address. Then they start pushing back refusing to do credit checks till it's all been input and the higher ups kick off. The same higher ups kicking off that money hasn't been collected. Fucking idiots. I say this as someone that spent a good 3 weeks on one dataset that even though I used every single trick I know and some new ones I learnt had to sit and manually fix a third of it because it was that much of a mess. I was playing whack-a-mole with the fields as to which one of up to 9 fields it could have been input and the only way to determine this was to eyeball it because the people inputting the data did follow their own bizarre patterns. I'm going to have a nice cup of tea as I feel the anger returning.
> Under GDPR, personal information should be "processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality')."
Does it have a password to access it? Do they have a backup? is it scribbled on the back of envelopes, or left unguarded on an open-plan desk? No, no no, therefore it meets the requirements.
While I get the database is shit, I'm not sure the GDPR has a problem with shit.
> I'm not sure the GDPR has a problem with shit.
I think it can. The GDPR isn't only about security. The GDPR also requires you to try to ensure the information you have is accurate. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/the-principles/accuracy/
I believe broken schemas can interfere with this. As a hypothetical example, imagine if the lack of proper primary keys causes records about two different people to accidentally be merged, and then for one of them to be denied a job offer based on a red flag that was raised on the *other* person's records. That would be unfairly prejudicial to them. The organisation would be failing its obligation to hold accurate data.
Oh God, yes, this!
Client: We didn't want to disturb you by asking for a new custom field so we put the customer's ebay reference number in the phone number field as ebay won't tell us the phone number on orders so it didn't matter.
Client later on: How many of our customers are ebay customers?
Me: Dunno, I could have told you if you'd let me spend all of 5 minutes putting in a custom ebay reference number in the first place and not used the phone field.
Client: Erm, can you separate them out?
Me: Possibly. It will take a while as I've got to write a program to figure out how to tell the difference between the two...
Me a short while later: What are these types of entries? They match neither a phone number format nor an ebay ID.
Client: Oh, they're Amazon reference numbers - we, er, didn't want to bother you...
Me: AAARRRRGHH!!!!
An 800,000 entry list of people with probably few other tables in a Sql database. How can you possibly fuck that up?
I suppose the preferred solution now will be cloud, analytics, blockchain, AI etc costing many millions and take 10 years and it'll still be a fuck up.
I despair.
Is it also an architectural issue? Maybe the databasic approach should be left in the past, when memory and storage were scarce. Besides keeping versions of a database can be expensive, as only few records get modified on regular basis.
Instead the traditional DBs should only be used for very few unique keys and identification fields. The rest kept in versioned appendable documents' folder PER USER with its own index and parsed fields, to prevent unauthorized access to full documents in the folder. Then DBs could be generated as views, when necessary for (rare?) aggregated analysis. Separate tables could be generated from parsed fields PER USER as well, provided specific schema.
So yes, this is a great journey to improvement. Hopefully to records of all kind. It is now possible.
Hello, I'm here to check the diversity of your employees.
Fine, I'll get you the binders.
Binders?
Yeah. We didn't want to get hacked and software isn't cheap so instead we ran with biros and A4 binders. We use the IT budget for our Christmas party now. Hawaii this year. Here's the key to the secure room over there.
It looks like a cupboard.
It was. We refurbished it, so it is 'better than new'. Leave when you hear the bell or you'll still be here tomorrow.
"...is held within Dynamics 365 which is our system of record," the spinner continued. "This solution and the data held within it, is secure and well documented. It does not rely on any SQL database...."
So where does "Dynamics 365" store its data, if not in a database (Microsoft SQL Server, that is)?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
