Exclusive The UK Information Commissioner's Office has received a complaint detailing the mismanagement of personal data at the Nursing and Midwifery Council (NMC), the regulator that oversees worker registration.

Employment as a nurse or midwife depends on enrolment with the NMC in the UK. According to whistleblower evidence seen by The Register, the databases on which the vital professional information is held lack rudimentary technical standards and practices.

The NMC said its data was secure with a high level of quality, allowing it to fulfil its regulatory role, although it was on "a journey of improvement."

But without basic documentation, or the primary keys or foreign keys common in database management, the Microsoft SQL Server databases - holding information about 800,000 registered professionals - are difficult to query and manage, making assurances on governance nearly impossible, the whistleblower told us.

The databases have no version control systems. Important fields for identifying individuals were used inconsistently - for example, containing junk data, test data, or null data - potentially impacting decisions on the careers of nurses and midwives relying on the NMC for registration.

Although the tech team used workarounds to compensate for the lack of basic technical standards, they were ad hoc and known by only a handful of individuals, creating business continuity risks should they leave the organization, according to the whistleblower.

Despite having been warned of the issues of basic technical practice internally, the NMC failed to acknowledge the problems. Only after exhausting other avenues did the whistleblower raise concern externally with the ICO and The Register.

The NMC stores sensitive data on behalf of the professionals that it registers, including gender, sexual orientation, gender identity, ethnicity and nationality, disability details, marital status, as well as other personal information.

The current UK law for data protection - it is being updated - comes under the Data Protection Act 2018, which incorporates the EU's General Data Protection Regulation (GDPR) as UK GDPR.

Under GDPR, personal information should be "processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality')."

The whistleblower's complaint claims the NMC falls well short of these standards. The statement alleges that the NMC's "data management and data retrieval practices were completely unacceptable."

"There is not even much by way of internal structure of the databases for self-documentation, such as primary keys, foreign keys (with a few honourable exceptions), check constraints and table constraints. Even fields that should not be null are nullable. This is frankly astonishing and not the practice of a mature, professional organisation," the statement says.

For example, the databases contain a unique ten-digit number (or PRN) to identify individuals registered to the NMC. However, the fields for PRNs sometimes contain individuals' names, start with a letter or other invalid data, or are simply null.

The whistleblower's complaint says that the PRN problem, and other database design deficiencies, meant that it was nearly impossible to produce "accurate, correct, business critical reports … because frankly no one knows where the correct data is to be found."

In a statement to The Register, Tom Moore, chief information officer at the NMC, said: "The integrity of our register is of paramount importance to us. Our records of all registered nurses, midwives and nursing associates are held securely with a high level of data quality. This enables us to fulfil our regulatory role and protect the public.

"When it comes to the systems we use to analyse and report on our data, we're on a journey of improvement. Work remains actively under way in this area, including moving away from older technologies. This will allow us to better generate insight from our regulatory activities."

The NMC told us it has measures for protecting personal data which are subject to scrutiny by internal audit partners.

The ICO confirmed to us it has received the whistleblower complaint about the NMC. ®

https://www.theregister.com//2024/03/22/nmc_database_whistleblower/