Brian Miller and Stewart Whyte gave evidence.

We will now hear oral evidence from Brian Miller, head of IT security and compliance, and Stewart Whyte, data protection officer, both from NHS Greater Glasgow and Clyde and joining us online. For this session we have until 4.20 pm. Will the witnesses please introduce themselves for the record?

Brian Miller:

Good afternoon, Chair. It is nice to see you all. I am Brian Miller and I head up IT security and compliance at NHS Greater Glasgow and Clyde. It is a privilege to be here, albeit remotely. I have worked at NHS Greater Glasgow and Clyde for four years. Prior to that, I was infrastructure manager at a local authority for 16 years and I spent 10 years at the Ministry of Defence in infrastructure management. I look at the Bill not only through the lens of working with a large health board, but from a personal perspective with a philosophy of “defenders win” across the entire public sector.

Stewart Whyte:

Good afternoon, Chair, and everyone. My name is Stewart Whyte and I am the data protection officer at NHS Greater Glasgow and Clyde. I am by no means a cyber-security expert, but hopefully I can provide some insight into the data protection side and how things fit together.

Q Thank you for giving evidence to us. I want your help to get my head around what could fall under the Bill’s discretionary power on the designation of critical supply chain entities. Synnovis is used as the exemplar of why such a power is needed. From your perspective in the NHS, what do you think would come into scope? For example, would patient transport or taxis come under scope as critical for the delivery of your services? Would a hospital cleaner come under the scope of a critical supplier if the service was outsourced to a private sector organisation? Would food provision in your hospital come under scope? Would the provision of materials, medicines or medical devices provided by private companies come under scope? Would the provision of IT services—physical computers, not cloud services—come under scope? Would locum agencies come under scope? In fact, would any private provider not come under the scope as critical for the provision of services linked to your organisation’s IT system?

Brian Miller:

That is a good question. Some of our colleagues mentioned the follow-up secondary legislation that will help us to identify those kinds of things. I suppose there is no difference from where we are at now. We would look at any provision of services from a risk management perspective and say what security controls apply. For example, would they be critical suppliers in terms of infrastructure and cyber-security? Does a cleaning service hold identifiable data? What are the links? Is it intrinsically linked from a technological perspective?

I mentioned looking at this through a “defenders win” lens. Yes, some of these technologies are covered. I saw some of the conversations earlier about local authorities not being in scope, but services are so intrinsically linked that they can well come into scope. It might well be that some of the suppliers you mentioned fall under the category of critical suppliers, but that might be the case just now. There might be provision of a new service for medical devices, which are a good example because they are unique and different compliance standards apply to them. For anything like that, where we stand just now—outside the Bill—we risk assess it. There is such an intrinsic link. A colleague on another panel mentioned data across the services; that is why Stewart is here alongside me. I look after the IT security element and Stewart looks after the data protection element.

Q Presumably, all suppliers are in some way linked to your IT systems to some degree. I know the NHS sometimes uses faxes still, but we do not live in a world where things are done by paper and pen—it is all integrated into IT systems.

Brian Miller:

Sometimes, but sometimes not. I do not think we had any physical links with Synnovis, but it did work on our behalf. Emails might have been going back and forward, so although there were no physical connections, it was still important in terms of business email compromise and stuff like that—there was a kind of ancillary risk. Again, when things like that come up, we would look at it: do we have connections with a third party, a trusted partner or a local authority? If we do, what information do we send them and what information do we receive?

Q Thank you for joining us remotely from Scotland. I have a question for Stewart about data protection. In my Harlow Constituency we have just got a new electronic patient registration scheme; what risks do you see in the increased use of technology like that in the NHS? Does the Bill help to address some of the risks?

Stewart Whyte:

Anything that increases or improves our processes in the NHS for a lot of the procured services that we take in, and anything that is going to strengthen the framework between the health board or health service and the suppliers, is welcome for me. One of our problems in the NHS is that the systems we put in are becoming more and more complex. Being able to risk assess them against a particular framework would certainly help from our perspective. A lot of our suppliers, and a lot of our systems and processes, are procured from elsewhere, so we are looking for anything at all within the health service that will improve the process and the links with third party service providers.

Q I am interested in who you report to should you identify a cyber-incident. I am talking about not just data breaches but wider ones that can affect operational systems. Which regulators do you deal with? If it is multiple regulators, do you feel there is a case for having one distinct regulator to cover cyber-resilience and manage that quite difficult landscape?

Brian Miller:

That is a great question. I will touch on some different parts, because I might have slightly different information from some of the information you have heard previously. On reporting—Stewart will deal with the data protection element for reporting into the Information Commissioner’s Office—we report to the Scottish Health Competent Authority. It is important that we have an excellent relationship with the people there. To put that in context, I was speaking to them yesterday regarding our transition to the CAF, as part of our new compliance for NHS Greater Glasgow and Clyde. If there was a reportable incident, we would report into the SHCA. The thresholds are really well defined against the confidentiality, integrity and availability triad—it will be patient impact and stuff like that.

Organisationally, we report up the chain to our director of digital services, and we have an information governance steering group. Our senior information risk officer is the director of digital, and the chief information security officer role sits with our director of digital. We report nationally, and we work really closely with National Services Scotland’s Cyber Security Centre of Excellence, which does a lot of our threat protection and secure operations, 24/7, 365 days a year. We work with the Scottish Government through the Scottish Cyber Co-ordination Centre and what are called CREW—cyber resilience early warning—notices for a lot of threat intelligence. If something met the threshold, we would report to the SHCA. Stewart, do you want to come in on the data protection officer?

Stewart Whyte:

We would report to the Information Commissioner, and within 72 hours we also report to the Scottish Government information governance and data protection team. We would risk assess the breaches and determine whether they meet the threshold for reporting. Not every data breach is required to be reported.

From the reporting perspective, it would be helpful to report into one individual organisation. I noticed that in the reporting requirements we are looking at doing it within 24 hours, which could be quite difficult, because sometimes we do not know everything about the breach within that time. We might need more information to be able to risk assess it appropriately. Making regulators aware of the breach as soon as possible is always going to be a good thing.

Q To come back to Dr Spencer’s original question about the scope of the legislation, the current situation, as I understand it, is that there is a carve-out for small and medium-sized enterprises because we do not want to put too much regulatory burden on them, but, under the new proposed legislation, operators of essential services that are SMEs will be designated by their regulator. That brings us back to the question of which regulator that would be. Do you currently use that designation for operators of essential services, or would you have to do a piece of work, presumably looking at a number of different regulators’ points of view, to designate the operators of essential services?

Brian Miller:

We would work with the Scottish Health Competent Authority as our regulator; I cannot speak for other regulators and what that might look like. We are doing work on what assurance for critical suppliers outside the Bill looks like just now, and we are working across the boards in Scotland on identifying critical suppliers. Outside of that, for any suppliers or any new services, we will assess the risk individually, based on the services they are providing.

The Bill is really valuable for me, particularly when it comes to managed service provision. One of the questions I was looking at is: what has changed since 2018? The biggest change for me is that identity has went to the cloud, because of video conferencing and stuff like that. When identity went to the cloud, it then involved managed service providers and data centres. We have put additional controls around that, because the network perimeter extended out into the cloud. We might want to take advantage of those controls for new things that come online, integrating with national identity, but we need to be assured that the companies integrating with national identity are safe. For me, the Bill will be a terrific bit of legislation that will help me with that—if that makes sense.

Q I want to make sure I have understood exactly. Is the regulator going to tell you who your operators of essential services are, or are you going to tell the regulator?

Brian Miller:

I think we would work with the regulator, but we are looking for more detail in any secondary legislation that comes along. We have read what the designation of critical suppliers would be. I would look to work with the Scottish Health Competent Authority and colleagues in National Services Scotland on what that would look like.

Stewart Whyte:

On how we would make that decision, from our perspective we are looking at what the supplier is providing and what sort of data they are processing on our behalf. From the NHS perspective, 90% of the data that we process will be special category, very sensitive information. It could be that, from our side, a lot of the people in the supply chain would fall into that designation, but for some other sectors it might not be so critical. We have a unique challenge in the NHS because of the service we provide, the effect that cyber-crime would have on our organisations, and the sensitivity of the data we process.

Q Your evidence is really helpful. To help with my understanding, if you look across all the suppliers in your service, are there any that you would not consider to be critical, such that if you clicked your fingers now and one of them disappeared, it would not have a material impact on your ability to maintain patient safety and deliver healthcare? Irrespective of the debate about size, what suppliers do you not determine to be critical?

Stewart Whyte:

For me, it would be a slightly different assessment from Brian’s. We would be looking at anything where there is no processing of personal data. For me, that would not be a critical supplier from a data protection perspective. But there might be some other integration with NHS board systems that Brian might have concerns about. There is a crossover in terms of what we do, but my role is to look at how we manage data within the NHS. If there are suppliers where there is no involvement with identifiable data of either staff or patients, I would not see them as a critical supplier under this piece of legislation.

Q Brian, from your side, what about, say, PPE, gloves or blood? There must be other things that are non-data that are, nevertheless, essential services.

Brian Miller:

I do not want to step out of my lane. There will be clinical stuff that absolutely would be essential. I would not be able to speak in any depth on that part of it; I purely look at the cyber element of it. As an organisation, we would be identifying those kinds of aspects.

In terms of suppliers, you are absolutely right. We have suppliers that supply some sort of IT services to us. If we are procuring anything, we will do a risk assessment—that might be a basic risk assessment because it is relatively low risk, it might be a rapid risk assessment, or it may be a really in-depth assessment for someone that would be a critical supplier or we could deem essential—but there are absolutely suppliers that would not fall under any of that criteria for the board. The board is large in scale, with 40,000 users. It is the largest health board in the country.

Q Do you have integration with your local primary care IT systems? For example, GPs have the old EMIS system and so on; is that integrated into your network? From your perspective, would that be a critical supplier that would need to be regulated?

Stewart Whyte:

Yes. There is a lot of information sharing between acute services and primary care via integrated systems. We send discharge letters and information directly to GP practices that then goes straight into the patient record with the GP. There is a lot of integration there, yes.

Q Does that also exist for local government? Does adult social care and so on have that integration too?

Stewart Whyte:

Yes, there is integration between ourselves and the local authorities.

If there are no further questions from Members, I thank witnesses for their evidence. We will move on to the next panel.