Ask most Barbadians which national institutions hold the country’s most sensitive data, and the answers would likely converge on three: the Barbados Revenue Authority, the newly constituted Social Empowerment Agency, and the Queen Elizabeth Hospital, along with the national polyclinics by extension.
Given the recent announcement that the Queen Elizabeth Hospital is embarking on a fully integrated health information system, enabling clinicians to securely access and update patients’ digital medical records, I felt it was important to examine what such a transformation should look like from a data privacy and governance perspective.
This welcome advancement is expected to streamline hospital processes, strengthen clinical decision-making, and connect all areas of care, from the Accident and Emergency Department to outpatient clinics, with future integrated access potentially extending to private healthcare service providers. Chief Executive Officer of the QEH, Neil Clark, described the upgrade as “the biggest change the public will see to the healthcare system since it was built.”
I have publicly supported this initiative and continue to do so. Barbados cannot meaningfully move into the digital age while relying on fragmented paper-based systems. However, I have also raised what I believe is a shared national concern: ensuring that cybersecurity frameworks are not the only thing being considered and that equal attention is being given to governance, particularly data governance.
Too often governance is treated as either paperwork that comes before a project or compliance documents added after a system goes live. International best practice now approaches it very differently. Governance must be built into the project from the beginning, not something delegated entirely to IT after procurement has already taken place. This is commonly referred to as “privacy by design,” where governance, compliance, and patient protection are treated as core components of the programme, not legal checkboxes added afterwards.
The risk Barbados must avoid is building a modern digital healthcare platform while digitising inconsistency, weak controls, poor accountability, and bad data-handling practices at national scale.
So, what exactly does a Data Governance framework mean in the context of the QEH?
In simple terms, a Data Governance framework is a rulebook, approved by the Board of Management, that determines how patient and operational data is collected, accessed, shared, protected, stored, and ultimately disposed of across the healthcare system. It establishes who can see what information, under what circumstances, how long records should be retained, how data accuracy is maintained, and what accountability mechanisms exist if something goes wrong.
This becomes especially important given that the Barbados Data Protection Act 2019-29 already establishes many of the foundational legal obligations surrounding the processing of personal information. One such obligation is that the hospital must process personal information, including medical records, lawfully, fairly, and transparently, while also being able to demonstrate accountability for how that data is handled.
I honestly believe the hardest part of this transition will not be technical. It will be human. Behaviour, interaction, and staff training are often much harder to fix than technology itself. While the public conversation focuses on cybersecurity and ensuring that, God forbid, no external breach occurs, I am equally concerned about how casually sensitive information is sometimes handled internally.
During COVID-19, for example, an authorised family member attempting to collect medical records on behalf of another individual was stopped by security and incorrectly told he could not enter the clinic, but that the files would simply be brought out to him instead. More concerning was that a nurse then handed those files to the security guard, who had no authorised right to access or handle those records.
In a paper-based environment, incidents like these may affect a single file or a small number of individuals. But within an integrated EMR system, the scale of potential exposure changes dramatically. A poorly trained staff member, weak access controls, or casual attitudes towards sensitive information could unintentionally expose thousands of patient records across connected facilities in seconds.
That is why governance, policy enforcement, staff awareness, audit controls, and accountability mechanisms become just as important as firewalls and cybersecurity systems.
The QEH and connected healthcare providers must be able to justify why patient data is being collected, who has access to it, how it is being protected, and under what legal or operational authority that information may be shared across the healthcare ecosystem.
One key requirement under the legislation is the need for a Data Protection Impact Assessment (DPIA). A DPIA is a formal risk and impact assessment conducted before high-risk personal data processing activities are implemented. Its purpose is to identify how the proposed digitisation programme could affect the privacy, rights, and freedoms of patients and staff, while also ensuring that appropriate safeguards are built into the system before deployment.
I am in no way suggesting that this measure was skipped because I do not know. However, if properly conducted, a DPIA would have guided the digitisation programme to the structured, risk-based approach that too many large-scale government projects fail to implement consistently.
It would have required project leaders to examine not only the technology itself, but also operational workflows, staff access levels, third-party vendor risks, data-sharing practices, retention and deletion procedures, breach notification processes, and the impact of misuse on patient privacy and public trust.
What would concrete assurance look like? At minimum: a named data protection representative with direct Board reporting, not buried under IT; documented access-control policies; mandatory staff privacy training; and tested breach-response procedures. They are the difference between a governance framework that exists on paper and one the public can actually see working.
None of this is hypothetical and one instructive international example was not even a hacker incident. In 2021, the Italian data protection authority fined a local public health authority after a nurse contacted a patient using a number that the patient had specifically instructed should not be used for medical communication. No system was hacked. No database was breached. An authorised staff member bypassed a patient confidentiality instruction through a procedural lapse and the institution itself was held accountable.
A patient’s instructions regarding their health information matter and institutions cannot allow routine workflow or convenience to override them.
It is similar to what occurred locally during COVID-19, except in the Italian case there was a regulator directly involved afterwards.
The real question Barbados must ask itself is what happens when the next such lapse occurs inside a national EMR system, where the same casual handoff no longer affects one paper file but potentially thousands of interconnected records across multiple facilities, and whether the governance structures exist to respond to it.
This initiative is a necessary part of Barbados’ digital transformation if the country is to move meaningfully into the digital age, but it must be delivered with the structured and risk-based discipline the public deserves. International headlines are filled with hospitals being held ransom after cyberattacks. But it would be no less shameful if Barbadian patient records were exposed not by a hacker, but through carelessness by the very people entrusted to protect them.
Steven Williams is the executive director of Sunisle Technology Solutions and the principal consultant at Data Privacy and Management Advisory Services. He is a former IT advisor to the Government’s Law Review Commission, focusing on the draft Cybercrime Bill. He holds an MBA from the University of Durham and is certified as a chief information security officer by the EC Council and as a data protection officer by the Professional Evaluation and Certification Board (PECB). Steven can be reached at Mobile: 246-233-0090; Email: steven@dataprivacy.bb
The post The human risk in QEH’s digital revolution appeared first on Barbados Today.