top of page
Search

Parliament knows. The regulators know. The professional bodies know. No Trust board has acted.

  • Writer: Tom Bartlett
    Tom Bartlett
  • 11 hours ago
  • 6 min read

I wrote recently about the patient safety risk from ungoverned clinical information tools in NHS Trusts: the spreadsheets, whiteboards, and paper trackers that clinical teams depend on because formal systems do not support how they work. The response confirmed that the problem resonates with anyone who has been on a ward. But the question it raised, whether any Trust board has governed this risk, leads to a harder one: if the evidence has existed for a decade, why has no one acted?


The evidence has not been hiding. It has been published, debated, and responded to by government at every level. What it has not done is change anything at Trust board level.


A decade of warnings


In May 2020, the NAO found the NHS had a "poor track record" for digital transformation, with local organisations facing "outdated IT systems that do not connect to other systems."

In February 2023, Parliament's own Expert Panel rated the government's progress on digitising the NHS as "inadequate." They found interoperability between systems was a persistent problem, "making it difficult for all parts of the system to communicate effectively, leading to delays and efficiency losses." They warned that an over-emphasis on hospital systems was leaving mental health and community services behind.


In March 2024, the Expert Panel rated government progress on implementing patient safety recommendations as "requires improvement." Only 70% of Trusts had implemented the new Learn From Patient Safety Events system. Nine years after some recommendations were accepted, implementation was still incomplete.


In December 2025, the Health and Social Care Committee found that "digital integration has been a persistent challenge" in community mental health, with "the lack of shared care records and data-sharing agreements" hindering collaboration and evaluation.


In November 2025, HSSIB published a thematic review of patient safety issues associated with EPR systems, finding persistent risks from limited collaboration between digital and clinical teams.


University Hospital Southampton, designated a Global Digital Exemplar and one of the most digitally advanced Trusts in England, deployed a new emergency department system in October 2025 to replace what had been a paper-based ED that was losing patient notes. If a Trust at the top of the digital maturity scale was running its emergency department on paper until eight months ago, the scale of the problem elsewhere requires no imagination.


The same problems, found again and again


In June 2026, the Ockenden review into Nottingham University Hospitals found governance failures that had been known since 2015. Six external reviews over seven years were all highly critical. Improvements were "often incomplete, delayed or unsustained." The Board Assurance Framework "did not clearly define how responsibilities were enacted below Board level." Risk registers "did not accurately reflect the Service's risk profile."


Days later, Baroness Amos published the final report of the Independent National Maternity and Neonatal Investigation, examining 12 Trusts and hearing from over 450 families. She found the maternity system "no longer fit to consistently deliver high-quality, compassionate care" and identified fragmented systems and outdated digital infrastructure as key themes.


The 2026 Nottingham review is not the first time Ockenden has documented these failures. Her 2022 review of Shrewsbury and Telford Hospital found similar problems in a completely different Trust. Two investigations, two different hospitals, the same pattern. The system does not lack evidence of what is wrong. It lacks a mechanism for turning evidence into safer care.


Layla Moran, chair of the Health and Social Care Select Committee, said: "After so many reports on failing maternity services, this must be the last. We must now turn the recommendations into reality, not allow them to gather dust like so many reports before."


The Royal College of Midwives has called for ringfenced investment in interoperable IT systems. The RCGP has identified fragmented technology as a driver of hidden GP workload. Every professional body that has looked at this has reached the same conclusion.


The cost of not governing this risk is already being paid. EPUT is spending £30m on a public inquiry into over 2,000 mental health inpatient deaths. Nottingham University Hospitals has been subject to years of investigation. Twelve Trusts are under review by Baroness Amos. These inquiries will examine what was known, by whom, and whether information reached the right person at the right time. Those are the same questions that a shadow IT audit would have asked proactively, at a fraction of the cost, before the harm occurred.


The framing that keeps the risk invisible


In 2016, CQC visited 60 healthcare settings and found staff building workarounds to deliver patient care because formal systems did not meet their needs, especially in emergency settings. But even CQC framed the finding as a data security issue and recommended boards take ownership of data security. The clinical safety dimension, that patients were being managed on ungoverned tools with no audit trail, no validation, and no backup, was not addressed.


The governance response followed the security framing: Trusts govern data through IG policies and the Data Security and Protection Toolkit, while the clinical risk from the tools themselves remains invisible to the board. Framing clinical risk as a data security issue makes it seem like a compliance obligation rather than a patient safety priority, easy to delegate to the IG team and easy to deprioritise against the urgent clinical pressures that every Trust faces every day. That framing has held for ten years. The risk has been governed as an IG problem. The patients have experienced it as a safety problem. The two have never been connected at board level.


The political debate that misses the point


The current political debate around NHS data and technology is focused almost entirely on procurement, supplier identity, and contract management. This week's headlines concern whether a specific technology contract should be continued or cancelled. Whatever the merits of that debate, it is taking place without any reference to the clinical risk that the technology was commissioned to address. Whichever direction the political decision goes, the spreadsheets on the wards, the whiteboards in the handover rooms, and the paper trackers in the nurses' pockets will still be there the following morning. The political conversation is about who provides the platform. The patient safety conversation, which is not happening, is about what happens without one.


What has not changed


With a decade of evidence from Parliament, regulators, professional bodies, coroners, and independent reviewers, the question is what Trust boards have done in response. Has any Trust audited the locally developed tools its clinical teams depend on? Has any Trust put this category of risk on its Board Assurance Framework? Can any Trust search its incident reporting system for patient safety events related to ungoverned clinical information tools? Has any Trust assigned accountability for this risk to the service directors who run the clinical services where these tools are built and used?


I have spent 22 years working in and with NHS Trusts. I have never seen a Trust that could answer yes to any of those questions. If yours can, I would welcome hearing from you.


What would a solution look like?

I am asking this as a genuine question, and I would welcome responses from anyone working in this space.


First, visibility. Boards cannot govern a risk they cannot see. Every Trust needs a mechanism to identify what locally developed tools are in use across its clinical services, what patient data they hold, and what clinical decisions depend on them.


Second, accountability. The risk sits in clinical directorates, not in the digital function. Service directors are already accountable for clinical safety, workforce risk, and operational performance. This risk belongs in that same structure.


Third, alternatives. Clinicians build workarounds because formal systems do not meet their needs. Any solution must include platforms and tools that serve the clinical workflow at the point of care, that clinicians can shape for their own services, and that provide the operational data they need without requiring them to build it themselves.


Fourth, an incident reporting taxonomy that can learn. If the NHS cannot search its incident data for events related to locally developed tools, it cannot identify patterns, it cannot quantify the risk, and it cannot learn from what goes wrong. A single change to the incident reporting taxonomy would create the data feed that connects patient safety to clinical information governance.


The decade of evidence is there. The governance response is what is missing. I would be interested to hear from anyone who has found a way to close that gap.


Tom Bartlett spent 22 years in the NHS, including 15 years working with Trust Boards as a head of data at Devon Partnership Trust and Oxleas NHS Foundation Trust, and latterly as Deputy Director of Data Engineering at NHS England.

Comments


© 2026 Bartlett Data Ltd.

bottom of page