An LDI Session that Unfolded like a Netflix Thriller: Notes from RelFest London
Author: LDI Team
An elderly patient at Meridian Vale, an NHS trust*, complains to the doctors that his pain medication is not working. The previous night, CCTV footage showed a night nurse next to a cabinet where controlled drugs are kept even though she was not assigned to that part of the ward. The nurse was also found searching through health records of a well-known sportsman who'd been admitted after an accident last month. The ward matron** sends a panicked email to his colleagues, recounting everything that has transpired and seeking their counsel on what he should do next.
The plot has the gripping power of a Harlan Coben thriller set in the hidden underbelly of a busy hospital in the UK. But it was not a Netflix watch party that brought attendees to the LDI session at RelFest. The subject of the session was the ward matron's email, blown up on the projector screen for everyone to see.
Like the fictitious Meridian Vale, this email, too, was fiction, a piece of synthetic data created using Seedless, an AI tool used for creating simulated data. At the session titled "Legal Data Intelligence at the Core of Personal Development, Client Impact, and Business Strategy," the email was used as a live exercise to demonstrate how the same piece of data can trigger different types of legal obligations.
In this blog post, we look at key takeaways and teachable moments from the LDI Architects who presented this session — Melina Efstathiou, managing director, Legal Data Intelligence, Grant Thornton, U.K.; Mark Anderson, managing director, EMEA, Complete Discovery Source; and Linda Sheehan, executive and head of intelligENS, ENS.
One Email, Multiple Obligations

Over the course of the session, the panelists analyzed how the same email could be relevant for different reasons across different contexts: an internal investigation, a data breach response, a data subject access request, litigation and dispute resolution, and more.
For the purposes of this blog post, we will focus on only three of the six situations that were explored in the session at RelFest London.
Internal Investigation

The email has all the attributes to spur an internal investigation. Over the last six weeks, the official record book for "controlled drugs" (highly regulated, addictive medications like oxycodone and morphine) on Ward 7 has not balanced on three separate nights. This means the physical amount of medication in the cabinet does not match what is written in the logbook. Each entry in the book requires two nurses to sign: one administering the dose, one witnessing it. On at least two of those nights, the second signature appears to have been made by the night nurse, albeit with a different pen. That same nurse was also caught on CCTV by the drug cabinet on a night in an area of the ward that was not assigned to her. And on that same night, a patient on the ward told the day team his pain relief "did nothing," even though his chart shows that a full dose was given to him.
Data Breach Response

The same email also tells a separate story. Lying in the middle of the email is a brief aside: it reveals how the accused has been pulling up patient records that she is not permitted to view. On at least two nights, she opened the file of a high-profile patient, a footballer admitted after a crash, who is not her patient. That is tantamount to a data breach.
It is a separate matter with a separate workflow, entailing a shorter turnaround for resolution than the internal investigation.
Data Subject Access Request

The email contains personal information about a number of people, and a note about a separate request for information, making it relevant for a data subject access request.
It contains personal data about the accused nurse: her staff ID, her divorce, and the author's own speculation that she may have "a problem" herself. It names the elderly patient, Harold Whitmore, alongside his NHS number, date of birth, and bed number. It also refers, obliquely, to a high-profile footballer who could be identified from context. Plus, it mentions the whistleblower's fears about being identified, and the junior nurses the email's author admits speaking to.
Becoming Proactive: Using LDI as a Framework
As the exercise demonstrated, a single email can contain sensitive, useful, or necessary (SUN) data for a variety of issues for entirely different reasons. In these situations, the Legal Data Intelligence model is instructive.
“It's a lovely cheat sheet if you're on a scoping call with a client for an internal investigation, and it becomes apparent there was a related data breach, but actually it's not your world. You can just go to the LDI website, check out the LDI model for Data Breach Response, and quickly flag the initial steps to immediately action, and the stakeholders you need to enlist for support, whilst on the call," said Sheehan.
Efstathiou sees the LDI practitioner as someone who can see data from multiple contexts and proactively flag risks even when they are unrelated to the specific matter that they are dealing with or their area of specialization. "In this day and age, you cannot work from a silo. If you are looking at the data for an internal investigation, you don't need to be a data privacy specialist to flag that the same data could be relevant in a data subject access request. At the very least, you will be expected to alert your client and the right stakeholder. This is where the LDI model is so useful. It gives you a vocabulary and holistic framework to effectively communicate that to them."
The DSAR example, Efstathiou noted, illustrates the point precisely. Pre-identifying potentially relevant documents before a DSAR formally lands is always a plus. "No one is going to tell you, 'Why did you come to me earlier and get this to my attention?'"
Indeed, thinking ahead and acting with more foresight will not only reduce the burden on clients so that they are not re-collecting the same data, but it also enables legal teams to proactively address multiple risks associated with the same data.
The Need for an Interoperable Skillset
Being able to visualize a data flow is one skill. Translating it into a defensible legal life cycle by applying sound legal judgment is another.
Legal knowledge and technical competency, said Efstathiou, cannot be mutually exclusive if the goal is to offer strategic advice. "Very few lawyers are also technical experts. You need to marry the two skills. And if you can't, you need to enlist the help of people who will fill that skills gap for you."
A Common Vocabulary to Drive the Conversation Forward
For most of his career, Anderson said, practitioners worked without shared reference points. "We were constantly innovating, coming up with our own internal workflows." Every firm had its own way of doing things. Best practices were proprietary, held in the heads of individuals, and rarely transferable.
LDI supports a more collaborative approach. "Now we're at a place where we can start having those conversations without relying on people's internal knowledge and individual firms' best practices. We can start driving that conversation, all singing from the same hymn sheet."
The legal industry is beginning to note the vital role that Legal Data Intelligence can play in empowering legal teams to take control of data. IDC recently published a perspective titled "Transform the Legal Function by Embracing Legal Data Intelligence", which examines this in detail. Check out the report here.
*An NHS trust is an organizational unit within the UK's National Health Service that provides health care services.
**A ward matron is an experienced registered nurse who manages nursing staff and clinical operations across one or more hospital wards.