Health service employees and information security policies: an uneasy partnership?

The purpose of this paper is to investigate how employees in a health board perceived and experienced information governance policies.

The approach was interpretive. A series of interviews was carried out and the transcripts were analysed using an interpretative phenomenological approach.

The authors discovered that staff often felt subjugated by policies, they experienced a lack of support, and experienced pressure to comply and to motivate the staff they managed to comply with policy directives. It was also obvious that all interviewees were highly motivated and concerned about information security. The authors conclude by proposing some mediation: a recognition and reward scheme to reward secure behaviour, the implementation of an incident response process, facilitated upward communication and development of a security culture in the organisation. Finally, the authors argue for the same rules to apply to all staff, so that procedures are fair, and seen to be so.

The authors make some recommendations for mediation, which should ensure that employees experience less pressure in complying with policy directives.

If the authors' recommendations are followed, information security is bound to improve, which would be an outcome greatly to be desired.

This paper empirically confirms recommendations made by other researchers working in this area.