Health service employees and information security policies: an uneasy partnership?
Purpose ‐ The purpose of this paper is to investigate how employees in a health board perceived and experienced information governance policies. Design/methodology/approach ‐ The approach was interpretive. A series of interviews was carried out and the transcripts
were analysed using an interpretative phenomenological approach. Findings ‐ The authors discovered that staff often felt subjugated by policies, they experienced a lack of support, and experienced pressure to comply and to motivate the staff they managed to comply with policy
directives. It was also obvious that all interviewees were highly motivated and concerned about information security. The authors conclude by proposing some mediation: a recognition and reward scheme to reward secure behaviour, the implementation of an incident response process, facilitated
upward communication and development of a security culture in the organisation. Finally, the authors argue for the same rules to apply to all staff, so that procedures are fair, and seen to be so. Practical implications ‐ The authors make some recommendations for mediation, which
should ensure that employees experience less pressure in complying with policy directives. Social implications ‐ If the authors' recommendations are followed, information security is bound to improve, which would be an outcome greatly to be desired. Originality/value ‐
This paper empirically confirms recommendations made by other researchers working in this area.