Every Trust is running this dangerously high clinical risk. Can your Board see it?
- Tom Bartlett

- Jun 24
- 7 min read
The clinical safety, IG, and workforce risks from uncontrolled local information systems are not on any Trust's risk register. They should be.
This week the Ockenden review found that at Nottingham University Hospitals, weaknesses in governance, leadership, and learning from mistakes were known as far back as 2015. Six external reviews over seven years were all highly critical. The organisation did not sustain improvement, and tragically mothers and babies were failed by an institution they should have been able to rely on.
In 2016 CQC visited 60 healthcare settings and found staff building insecure workarounds because formal systems did not meet their needs. They recommended boards take clear ownership. In August 2023, CQC inspected Hull Royal Infirmary maternity and found paper care records, unstructured handovers, and a baby's death linked to monitoring failures. In December 2025, CQC inspected South London and Maudsley's community mental health services and found a waiting list of 596 patients tracked on a spreadsheet with no formal process and no clinical risk oversight. The same month, CQC inspected University Hospitals Sussex's Emergency Department and found staff relying mainly on paper records, describing the computer system as unfit for purpose.
The common themes in these reports, and I have seen many over the last 20 years, are leadership, culture, and staffing. These are perennial issues deserving of the attention. But there is a pattern in all of them that receives far less scrutiny: problems that were known, flagged repeatedly in internal reviews and external reports, and never escalated to the level where the board could govern them effectively. At Nottingham, six reviews over seven years all said the same thing. The organisation did not act. That governance failure, where operational risks sit below the board's line of sight until catastrophe forces them into view, is not confined to maternity. It is the same mechanism by which another category of clinical risk persists in every Trust in England, invisible to the board, unflagged on any risk register, and causing harm every day.
Underneath each of these reports, and most of the serious incident reviews I have read during my time in Trusts, sits an information problem that rarely makes it into the summary. Clinical teams making decisions on fragmented, ungoverned, locally built information systems, commonly known as shadow IT, because the formal systems do not support how they work.
I spent 22 years in the NHS, 15 of them working directly with Trust boards as a senior data lead. I set up Devon Partnership Trust's CQC team when the regulator was first established. While working with Trusts, I have:
attended ward handovers where patient flow was managed on a spreadsheet projected onto the wall, because the EPR had too many screens to click through when updating a patient.
seen nurses carrying printed patient lists with biro scribbled all over them through their ward shift, because the EPR did little more than record admission and discharge date.
watched discharge meetings run from Word documents while the EPR sat open and unused on the next screen.
seen wall to wall whiteboards in team rooms covered in patient identifiable data, photographed on personal phones at shift change so the next team knows what is happening.
seen staff copy and paste "template" structures into EPR free text progress note fields to capture clinical outcome measures.
been on a board visit to a community team in a building with only one working computer, where staff queued up to enter a cursory summary of their week's clinical contacts, with the real meat of the work safe in their paper notepad.
That was all pre-pandemic. I shudder to think what the status quo is now nearly everyone has their personal phone in their pocket, many with ChatGPT installed. Every clinician reading this will recognise at least one of those scenes. Yet all of them will also be adding much of that data into formal systems such as the Trust EPR to cover their backs should something bad happen and the situation needs to be reviewed. Often, I saw staff scan in their documents to the EPR, bypassing the structured elements of the system entirely. Collectively, this does not lead to good patient outcomes: it burdens the clinician with an additional task, whilst at the same time reducing the timeliness and accuracy of the information.
The information systems that actually run your Trust
In many Trusts there may be 200 or more clinical teams. A significant number of them will be running operational decisions on information systems they built themselves: spreadsheets tracking patient flow, Access databases managing theatre lists, paper trackers monitoring follow-up appointments, whiteboards coordinating bed states. Walk onto some wards and you will find patient flow managed on paper, even in Trusts that have spent tens of millions on electronic patient records. The EPR sits alongside the workaround rather than replacing it, because it was never configured for how the team actually delivers care. Some deployments of the same EPR have covered more ground than others, but none have come close to eliminating the need for these informal systems.
In my view, it is actually good that clinicians are designing their own systems, it shows an entrepreneurial approach and ownership of their service. But the problem is these systems lack rigour: they are rarely safe to use, prone to loss of data, un-auditable, and easy for the wrong person to look at. If the Trust's Caldicott guardian saw it they would try to shut it down, but more usually it becomes a source of unresolved tension, polluting the culture of openness and cooperation many Trusts aspire to. Trusts take a common way out of this. They purchase an EPR which satisfies the auditor. They take a blind eye towards the spreadsheet which satisfies the clinician. They see EPR compliance on the Data Security and Protection Toolkit (DSPT) and sign it off. But the critical risks of patient harm, data security, and clinical burnout remain.
CQC identified this a decade ago. Their 2016 "Safe data, safe care" report found that data security systems were not designed around the needs of frontline staff, leading to staff developing potentially insecure workarounds. They recommended that boards should demonstrate clear ownership of data security, just as they do for clinical and financial management. Even if this recommendation was implemented, it is only a partial fix addressing the security risk, not the patient risk. The review itself was narrowly focused around data security, defined as Availability, Integrity, and Confidentiality. Indeed, the governance of information systems has been heavily weighted towards security for obvious reasons, however this has left the dangerous dynamic I have described in place. The CQC should broaden their scope and re-audit this situation urgently.
Three risks the Board has never discussed together
Clinical safety. A spreadsheet managing bed allocations has very few safeguards. If someone deletes a row, changes a formula, or misreads a column, there is no system-level check. A patient whose follow-up is tracked on a local database rather than a governed clinical system is a patient whose safety depends on someone remembering to look. Coroners have issued Prevention of Future Deaths reports about patients lost to follow-up across disconnected systems. The data to prevent those deaths existed, but too often it was not joined up. This is especially true at the organisational boundaries between primary, secondary and social care.
Information governance. A patient tracker on a shared drive with no access controls means patient identifiable data sitting outside the DPIA, outside the retention policy, and outside the incident reporting framework. If the ICO walked onto your ward and opened the shared drive, what would they find?
Workforce. Clinicians are spending hours maintaining these tools, manually reconciling data across systems, re-entering information that already exists somewhere else in the organisation. Boards are tracking burnout through staff surveys and vacancy rates, but rarely connect it to the manual data burden their teams carry every day. The documentation burden that drives clinicians to exhaustion goes beyond the EPR being clunky. The parallel universe of informal systems that sits alongside it, each requiring its own feeding and maintenance, compounds the problem at every level. The emotional impact of a deleted spreadsheet containing tomorrow's patient list must be significant. I've seen the frustration of staff trying to find the right information many times.
Who owns this risk?
If shadow IT carries clinical safety risk, IG risk, and workforce risk, the question for every Chair and non-executive is whether it appears on the risk register. And if it does, who owns it.
If the answer is the Chief Digital Information Officer, consider whether the CDIO has operational authority over what clinical teams do on their wards. In most Trusts they do not. Service directors run clinical services. When a theatre scheduling team builds a spreadsheet rather than using an available platform, that is a decision made within a clinical directorate by people who report to a service director. The service director is already accountable for clinical safety, workforce risk, and operational performance. Shadow IT risk belongs in that same accountability structure.
If the risk sits with the digital team, service directors will treat it as someone else's problem. Their clinical teams will keep building local tools because the EPR does not do what they need, and service managers will quietly manage around the corporate systems rather than engage with any alternative.
Five questions for your next Board meeting
Does the Trust's risk register include the clinical safety and IG exposure from uncontrolled local data systems? If not, why not?
Has the board made it clear that shadow IT risk sits with service directors, not with the digital team?
Of the clinical workflows the Trust's operational platforms are designed to support, what proportion have actually migrated, and what proportion are still running on local spreadsheets?
What is the Trust's plan for rationalising its data estate, and has the board seen a business case?
How is the Trust preparing its data foundations for AI, and does the board understand the dependency between data standardisation and AI readiness?
Over to you
I would be interested to hear from anyone whose Trust has assessed this risk. What did you find? Did your board discuss it? Did anything change?
And if your Trust has not assessed it, how do you know it is not a problem?
Tom Bartlett spent 22 years in the NHS, including 15 years working with Trust boards as a senior data lead at Devon Partnership Trust and Oxleas NHS Foundation Trust, and latterly as Deputy Director of Data Engineering at NHS England.



Comments