By GEOFF NAIRN

(Published in the Financial Times on November 26, 2009. Read the original here.)

Like modern-day alchemists, organisations are urged to invest in business intelligence systems to transform raw data into valuable information and, hopefully, actionable insight.

But as the amount and variety of sources of business information have grown, so too have the rules and regulations that seek to restrict how that information is used.

Information compliance and governance issues are most onerous in financial services and healthcare sectors which are subject to particularly strict data protection regulations. But across all industries, the regulatory burden has increased in recent times.

“We have seen more than 40 new regulations that have come into effect in the last 12 months,” says Mike Lynch, CEO of Autonomy, the UK specialist in information management software.

In the past, organisations could often afford to take a cavalier attitude to their data. Enforcement of the rules was lax and those overstepping the fuzzy line could plead ignorance and get off with a light fine.

But legislation such as the Data Protection Act in the UK, and Sarbanes Oxley in the US has changed the face of corporate governance. Senior executives are now personally liable for infringements to data handling and data protection laws. Ignorance is no longer an excuse.

“What has changed recently is that there have been a number of high-profile data losses. The penalties for not getting it right have become much more stringent,” says Andy Vernon, business intelligence specialist at PA Consulting Group.

Fearful of draconian penalties for non-compliance, businesses may be tempted to lock away or even delete sensitive data to ensure they never fall into the wrong hands. But such attitudes reveal a fundamental misunderstanding about what compliance means.

“Most regulations are not designed to prohibit the use of the data but require you to preserve them and that creates a big information management challenge,” says Robert Tennant, CEO of Recommind, a US specialist in information risk management.

Industry experts argues that it is possible to strike a balance between the need to protect sensitive data and the desire to unlock greater value from that same data using technologies such as business intelligence.

There isn’t really a compliance issue around BI, ” says Matt Leighton chief architect for BI at Logicalis, the IT services firm.

“The issue is more about deciding who I want to gain access to the information and implementing the appropriate policies.”

Nevertheless, there is some evidence that the fear of overstepping compliance boundaries, warranted or not, is holding back IT initiatives, particularly in industries such as financial services and healthcare.

In the US healthcare sector, for example, a recent academic study concluded that the laws designed to protect patients’ data could be restraining the adoption of electronic medical record (EMR) systems.

The widespread use of EMR technology is seen as key to creating a more efficient US healthcare system.

As part of President Obama’s stimulus package, The Health Information Technology for Economic and Clinical Health (Hitech) Act earmarks $20bn for the creation of a nationwide electronic healthcare records system.

As well as eliminating inefficiencies and errors associated with paper-based records, EMR systems allows patient data to be aggregated and mined to spot trends — an increase in side effects when coronary patients are switched to a new drug, for example.

But researchers at the Massachusetts Institute of Technology and the University of Virginia found some hospitals were wary about exchanging data with hospitals in other states because of complex patient privacy laws.

The researchers found that states that made it easier to exchange patient data experienced a 21 percent gain in hospital EMR adoption rates compared with just an 11 percent gain in states with more restrictive laws.

The Health Insurance Portability and Accountability Act (Hipaa) is the principal law governing patient data in the US. But it is a federal law and allows the privacy laws of individual states to take precedence if they are stricter.

This “pre-emption” clause makes healthcare IT professionals understandably nervous about sending patient data across state lines particularly to litigation-happy states.

To complicate the legal framework further, the Hitech Act brings fresh rules designed to strengthen Hipaa — preventing confidential patient data from being sold commercially, for example. The law came into effect earlier this year but many of its rules and provisions have yet to be implemented.

This spiralling mass of legislation in this area is designed to address growing unease in the US about the way patient data is being used for non-medical purposes.

In 2007, the UCSF Medical Centre in San Francisco admitted that it had shared information on more than 6,000 patients with Target America, a data mining company with a database of 7m wealthy individuals.

By comparing its patient records with Target America’s list, the hospital wanted to identify wealthy patients who could be approached for donations.

Surprisingly, perhaps, Hipaa allows healthcare providers to disclose protected health information to commercial organisations providing they have a contract describing permitted uses and safeguards.

In this case, Target America’s safeguards failed. The patient data ended up on the internet and the breach was not discovered until three months later.

The UCSF case illustrates the dangers of using personal data in a business intelligence context.

Nevertheless, with appropriate safeguards and procedures, healthcare IT experts say is possible to overcome the compliance hurdles and extract valuable information from patient data that would otherwise remain hidden.

NHS Islington, the public healthcare provider for north London, is developing a business intelligence system to identify high-risk patients before they have to be rushed to hospital, so saving money and, hopefully lives.

The system uses open-source BI technology from US vendor Pentaho to mine the medical records of around 195,000 citizens.

“The system is looking for 70 risk factors that increase the chance of an emergency admission,” explains Ian Tritschler, associate director of IT at NHS Islington.

The system combines data from hospital admissions with the medical records that general practitioners hold in their surgeries.

Prior to using the Pentaho system, NHS Islington developed a similar BI application using just the data from hospital admissions. But they realised that it was only picking up a limited range of patients — some people are notoriously reluctant to go to hospital until it is too late

The current system incorporates GP data as well, thus catching more people its net and also building a more complete medical history of each patient.

Mr Tritschler says the system is a relatively simple BI application. “The same data testing approach could be used to identify who is most likely to purchase a brand of washing powder. The technology is the same.”

Nevertheless, because the data involved are patient records, the project had to be designed from the outset to meet exacting compliance considerations.

“We had to get the agreement from each of the GPs to use their patient information and the data are stored on a dedicated server,” he says.

Instead of names, social security numbers are used to identify each patient and only one person, trained in compliance procedures, is authorised to process the data.

Most would accept the need for stringent procedures to protect medical data. But many organisations are reluctant to apply similar principles to their personnel records or customer data.

For example, many call centres have software to identify and pop up customer data on the agent’s screen. In the US this information may include the social security number, which is a potential breach of privacy laws, according to Francis Corden, founder of OpenSpan, a US firm that makes compliance applications.

His company’s software can obscure sensitive information in “legacy” call centre applications and also prevent voice recording systems, whose use is obligatory in many call centres, from recording personal data.

Not surprisingly, IT vendors argue that the compliance problems created by legacy systems are best addressed by modernising IT systems. But for those whose budget won’t stretch to a major overhaul, there are often other ways to address the problem.

Take the example of a business that wants to see how well a product is selling in a particular town. For this purpose, the BI application does not need customers’ names or even full addresses.

Customer account numbers and the first few letters of their postcode — enough to identify the town but not the street — would be sufficient and reduce the chance of the company potentially breaching data privacy laws.