Tuesday, December 11, 2012

Duchess Kate and the Quality OFI

My friend and colleague Shelia Woodcock wrote to me yesterday about the recent news event that surrounds Kate Middleton, Duchess of Cambridge, the King Edward VII Hospital, and a morning radio station performer.  

For those that do not follow such events, Kate is married to Prince William, the son of Charles and Diana (It is significant to remember that Diana was killed in part trying to flee British paparazzi).  Duchess Kate was hospitalized for a private matter and the morning radio show performer (MRSP) from Australia contacted the hospital pretending to be Charles (the father-in-law) and was able to get to a nurse, who unknowingly was hoaxed into sharing some private information about Kate on the radio show.  A short time later the nurse was found dead, apparently from a suicide.

Sheila pointed out that there are many villains in this whole sordid ugly story, but at its Quality core, there is a major policy issue.  Seemingly this MRSP was able to pass from one person to another over the phone until he finally reached the nurse who chatted on.  So where in all this is the King Edward VII Hospital privacy policy, and if it exists, how come so many people ignored it?  Had the policy been in place, the MRSP would have been blocked out, the nurse would not have been contacted, and would not have talked and perhaps would be alive today.  So as much as the MRSP was a rudely intrusive self-entitled waste-of-time, the King Edward VII Hospital was incompetent and derelict in enforcing its own critical policies.

First off, let me suggest that if there is a family that is the very model of decorum, it would be the Royals.  The likelihood that they would have barged their way against a policy designed to protect them would be nil.  So being intimidated is not an excuse; and being accommodating was inappropriate.  

So the real story hear is that the hospital was inept, and the staff ignored a critical policy.  Had the hospital been more diligent with respect to policy and process, this whole event never should have occurred.

Perhaps this suggests an approach that all privacy based organizations should consider.  I think of it as very Deming.  If you create a critical policy, on some sort of regularly intermittent basis (that means ever 3-4 months), someone should do an internal audit to see if the policy is being followed.  They pretend to be a person calling in for patient information.  If they are blocked from achieving information, we will call that being proficient; if they are successful in garnering private information we call that having opportunities for improvement.  

The institution would monitor and track performance and capture potential breaches early. 

That would be a really good example of combining Quality Indicators and Risk Management to ensure Continual Improvement.  And by-and-large would cost virtually nothing.

But having gone there, my CMPT background and naturally entrepreneurial imagination, took me one step further.  Perhaps one could even create a business opportunity and develop a program for testing adherence to privacy policies; we could call it Privacy Proficiency Testing.  Consider the opportunities; in Canada we have about 1000 laboratories, probably 20,000(?) banks, 40,000(?) schools, and 50,000 doctor’s offices.  The imagination boggles at the possibilities.

Put in that light the MRSP who started this whole ugly mess was not really a rudely intrusive self-entitled waste-of-time; he was really a public-spirited  free-service external audit provider whose goal was to see if they Princess’s privacy was truly secure.  

Or maybe he was both.
Thanks Sheila.

No comments:

Post a Comment

Comments, thoughts...