Whistleblower raises alarm over UK Nursing and Midwifery Council's DB

Regulatory body insists it's on 'a journey of improvement'

Updated Exclusive The UK Information Commissioner's Office has received a complaint detailing the mismanagement of personal data at the Nursing and Midwifery Council (NMC), the regulator that oversees worker registration.

Employment as a nurse or midwife depends on enrolment with the NMC in the UK. According to whistleblower evidence seen by The Register, the databases on which the personal information is held lack rudimentary technical standards and practices.

The NMC said its data was secure with a high level of quality, allowing it to fulfil its regulatory role, although it was on "a journey of improvement."

But without basic documentation, or the primary keys or foreign keys common in database management, the Microsoft SQL Server databases – holding information about 800,000 registered professionals – are difficult to query and manage, making assurances on governance nearly impossible, the whistleblower told us.

The databases have no version control systems. Important fields for identifying individuals were used inconsistently – for example, containing junk data, test data, or null data.

Although the tech team used workarounds to compensate for the lack of basic technical standards, they were ad hoc and known by only a handful of individuals, creating business continuity risks should they leave the organization, according to the whistleblower.

Despite having been warned of the issues of basic technical practice internally, the NMC failed to acknowledge the problems. Only after exhausting other avenues did the whistleblower raise concern externally with the ICO and The Register.

The NMC stores sensitive data on behalf of the professionals that it registers, including gender, sexual orientation, gender identity, ethnicity and nationality, disability details, marital status, as well as other personal information.

The current UK law for data protection – it is being updated – comes under the Data Protection Act 2018, which incorporates the EU's General Data Protection Regulation (GDPR) as UK GDPR.

Under GDPR, personal information should be "processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality')."

The whistleblower's complaint claims the NMC falls well short of these standards. The statement alleges that the NMC's "data management and data retrieval practices were completely unacceptable."

"There is not even much by way of internal structure of the databases for self-documentation, such as primary keys, foreign keys (with a few honourable exceptions), check constraints and table constraints. Even fields that should not be null are nullable. This is frankly astonishing and not the practice of a mature, professional organisation," the statement says.

For example, the databases contain a unique ten-digit number (or PRN) to identify individuals registered to the NMC. However, the fields for PRNs sometimes contain individuals' names, start with a letter or other invalid data, or are simply null.

The whistleblower's complaint says that the PRN problem, and other database design deficiencies, meant that it was nearly impossible to produce "accurate, correct, business critical reports … because frankly no one knows where the correct data is to be found."

In a statement to The Register, Tom Moore, chief information officer at the NMC, said: "The integrity of our register is of paramount importance to us. Our records of all registered nurses, midwives and nursing associates are held securely with a high level of data quality. This enables us to fulfil our regulatory role and protect the public.

"When it comes to the systems we use to analyse and report on our data, we're on a journey of improvement. Work remains actively under way in this area, including moving away from older technologies. This will allow us to better generate insight from our regulatory activities."

The NMC told us it has measures for protecting personal data which are subject to scrutiny by internal audit partners.

The ICO confirmed to us it has received the whistleblower complaint about the NMC. ®

Updated at 1512 UTC on March 22, 2024, to add

Following publication of this article, a spokesperson for the NMC said its register was "organised and documented" in a Microsoft SQL Server database.

They added the NMC had listened to and investigated the whistleblower's concerns and "provided them with a summary of our findings."

"For clarity, the register of all our nurses, midwives and nursing practitioners is held within Dynamics 365 which is our system of record," the spinner continued. "This solution and the data held within it, is secure and well documented. It does not rely on any SQL database. The SQL database referenced by the whistleblower relates to our data warehouse which we are in the process of modernizing as previously shared."

More about


Send us news

Other stories you might like