My friend and colleague Shelia Woodcock wrote to me
yesterday about the recent news event that surrounds Kate Middleton, Duchess of Cambridge, the King Edward
VII Hospital, and a morning radio station performer.
For those that do not follow such events, Kate is married
to Prince William, the son of Charles and Diana (It is significant to remember
that Diana was killed in part trying to flee British paparazzi). Duchess Kate was hospitalized for a private matter
and the morning radio show performer (MRSP) from Australia contacted the
hospital pretending to be Charles (the father-in-law) and was able to get to a
nurse, who unknowingly was hoaxed into sharing some private information about
Kate on the radio show. A short time
later the nurse was found dead, apparently from a suicide.
Sheila pointed out that there are many villains in this
whole sordid ugly story, but at its Quality core, there is a major policy issue. Seemingly this MRSP was able to pass from one
person to another over the phone until he finally reached the nurse who chatted
on. So where in all this is the King
Edward VII Hospital privacy policy, and if it exists, how come so many people
ignored it? Had the policy been in
place, the MRSP would have been blocked out, the nurse would not have been
contacted, and would not have talked and perhaps would be alive today. So as much as the MRSP was a rudely intrusive
self-entitled waste-of-time, the King Edward VII Hospital was incompetent and
derelict in enforcing its own critical policies.
First off, let me suggest that if there is a family that
is the very model of decorum, it would be the Royals. The likelihood that they would have barged
their way against a policy designed to protect them would be nil. So being intimidated is not an excuse; and
being accommodating was inappropriate.
So the real story hear is that the hospital was inept,
and the staff ignored a critical policy.
Had the hospital been more diligent with respect to policy and process,
this whole event never should have occurred.
Perhaps this suggests an approach that all privacy based
organizations should consider. I think
of it as very Deming. If you create a
critical policy, on some sort of regularly intermittent basis (that means ever
3-4 months), someone should do an internal audit to see if the policy is being
followed. They pretend to be a person
calling in for patient information. If
they are blocked from achieving information, we will call that being proficient; if they are successful in
garnering private information we call that having opportunities for improvement.
The institution would monitor and track performance and
capture potential breaches early.
That would be a really good example of combining Quality Indicators
and Risk Management to ensure Continual Improvement. And by-and-large would cost virtually
nothing.
But having gone there, my CMPT background and naturally
entrepreneurial imagination, took me one step further. Perhaps one could even create a business
opportunity and develop a program for testing adherence to privacy policies; we
could call it Privacy Proficiency
Testing. Consider the opportunities;
in Canada we have about 1000 laboratories, probably 20,000(?) banks, 40,000(?)
schools, and 50,000 doctor’s offices.
The imagination boggles at the possibilities.
Put in that light the MRSP who started this whole ugly
mess was not really a rudely intrusive self-entitled waste-of-time; he was
really a public-spirited free-service external audit provider whose goal was to
see if they Princess’s privacy was truly secure.
Or maybe he was both.
Thanks Sheila.
No comments:
Post a Comment
Comments, thoughts...