Everyone deserves privacy, and everyone deserves medical privacy.
Whomever you are, Princess of Wales or not, you have the right to know where and when your records have been accessed, and in being able to see that those accesses were legitimate – and for action to be taken if they were not. As events have shown, the princess had access to her records monitored for abuses, the NHS won’t let you do that. The ‘Department of Health in England’ (NHS England) could tell you, but they don’t want to; doctors have been struck off for accessing records inappropriately, but abuse is far more common than punishment.
At the start of the 2019-2024 Parliament, we had no idea if mRNA worked at scale, and no real idea how to find out safely. A pandemic intervened, and we figured it out. At the end of the Parliament, trials to detect and cure cancers using mRNA seem promising and could revolutionise treatment (and the NHS budget) over the term of the next Parliament – if done properly.
The outgoing Government’s choice to implement the recommendations of the Cass Review within hours shows that care choices can and are being politicised, with criminal penalties being created so very quickly. If only the independent Windrush Review, the many safe staffing reports, or conclusions on Grenfell had been so rapidly adopted by Ministers. The Cass Review will now undergo the slow, meticulous process of academic peer review – assessing the choices made, and seeing which parts demonstrate rigour and which show cherry picking, misunderstanding, or simply prior policy beliefs masquerading as independent impartial evidence.
Whether the HDR / Sudlow Review will ever be published is unclear, but – if it is – any narrow evidence base and distortions that favour HDR UK’s own institutional policies will enter that same process of scrutiny and assessment which HDR does its best to avoid when nudging funding decisions to cronies. It is entirely possible to write a report focussing only on the subset of reality that is convenient to the institutional culture towards which you want to steer cash; permanently attaching your name and reputation to a temporary star is, however, a choice that remains fixed as time moves on, and temporary incongruences have been resolved. Career priorities are political.
The Department of Health in England would prefer to control a single consolidated record of every health ‘event’ in your entire medical history – including things like copies of readings from the sensors on your smartphone and smartwatch (see Annex 8 of our UC work) – and to make them available not only to anyone in the NHS but to any private provider, to do with as they see fit.
“Pharmacy First” can diagnose you with a UTI, prescribe accordingly, and then write that to your NHS record; DH policy imperatives show they believe a private GP doing the same thing is no different. But if you receive a diagnosis of ADHD or gender dysphoria that fulfils all NHS criteria, why does that not become an NHS diagnosis in the same way? Why does the system oblige your family doctor to follow some non-NHS diagnoses, but seek to criminally punish them for others?
(As an aside, allowing people to write arbitrary diagnoses into arbitrary records provides a system-wide ability for any rogue doctor to write anything they choose into a record – giving the Minister of the day, for example, SNOMED code 247667002 or 247670003. And of course, once entered into an NHS record, “diagnoses” are supposedly impossible to remove…)
The politicisation of care has become utterly incoherent. Things will eventually be resolved, but the real question is how many serious harms there will be in the interim.
Sustainability of data decisions
Sustainable decision structures are those which can exist for the longer term – and in which any individual decision is secondary to the process continuing. Where organisations aren’t disinvited from the process for giving private critiques or briefing Parliamentary Select Committees. (The culture of Paula Vennells is not unique to the Post Office.) And while imposition of a contract or rules is an emergency act, institutional ignorance is a temporary choice. It may feel easier to engage only with those who agree with you – something the ideologies of the outgoing Government made a policy goal – but what is temporary will eventually end.
Whatever happens with NHS data it must be stable to survive. Every important stakeholder must have what it needs, which may not be what it wants. NHS England wants to do analyses; GPs need confidence and clarity in their responsibilities to all patients; interested patients need trustworthiness and dissent; researchers need to be able to do research ethically.
OpenSAFELY and Palantir are both tools; how the tech will be used remains unclear.
If the Department of Health in England were being honest, the public narrative of the ‘Federated Data Platform’ in Palantir and the NHS App would be that they are, in their view, the future of NHS care. If an algorithm running in Palantir and displayed in the App says No, then you won’t get NHS care – in exactly the same way as when the A-Level algorithm said No in 2020, students didn’t get their University places.
Culture of Coverups
The internal culture of NHS England has barely changed since the care.data debacle in 2014. That shouldn’t be a surprise, as it’s largely the same people doing the same jobs – and their ongoing actions suggest they have learned very little in the past decade. It is a common argument around Government that the civil service does churn too much, but perhaps lack of churn has harms too…
While the faces remain the same, the culture of the current “new NHS England” (aka the Department of Health in England, as NHSE has de facto seniority over policy staff) has degraded to the level of trustworthiness and integrity demonstrated by the Boris Johnson administration, while the current power structures were last defined by Matt Hancock’s DHSC.
The Department of Health in England takes reckless risks on your behalf without you even knowing. And UK Biobank and Our Future Health have evolved in that culture – the NHS England form to buy patient data is around 30 pages long; the biobank form is less than four pages long. There is no way that could cover everything required, but they have made the calculation that investing in PR and bluster will be more successful with Government and the Department of Health in England than offering real substance and evidence. Indeed, that approach clearly has worked for biobank and HDRUK under the outgoing Government. But all Governments end.
No Privacy, No Transparency, No Trust
Information such as service performance, which NHS Digital (RIP) proudly published proactively, is now routinely covered up and FOI requests are only answered after complaints to the ICO about stonewalling and non-response. “Transparency” may be something the new NHS England says – it is demonstrably not what it does.
Since the absorbtion of NHS Digital, the so-called ‘Privacy, Transparency, and Trust’ group is where NHS England dumps these vital issues in order that the rest of the organisation can ignore them, and so that group can focus on how to avoid them. The only outputs are performative statements – rather than building a trustworthy organisation that is worthy of public confidence, by demonstrating trustworthiness.
That this is the case is best demonstrated by the Department of Health in England’s sustained incoherence around a patient’s legal rights to object to unnecessary data processing. And their complete lack of interest in telling you where and when your medical record has been accessed.
Every NHS GP record is now supposed to be accessible in every pharmacy in the country, via a service called “Pharmacy First”. But you will have no idea if someone has accessed your GP record – let alone if that was a legitimate access, or one where your stalker or creepy bad date was ‘going fishing’ – entirely because the Department of Health in England refuses to tell you. Until recently, pharmacy staff could only read records. Now they can write a diagnosis into your record and, if they do, it’s almost impossible for you to know that it happened, or to challenge or have it removed. MPs (rightly) changed the law to allow the removal of malicious child safety reports, but that’s just the tip of the iceberg.
If your GP uses TPP/SystmOnline you may have access to an “online audit”, but this is not available in the supposedly “main” NHS App. Despite this audit trail being a contractual requirement imposed by NHS England, they never implemented it for you. Its actions demonstrate that the Department of Health in England believes they, not your GP, should decide what your GP can tell you about your health, what medical care they can provide, and which organisations can buy the personal data in your health records.
While patients should be able to see the correspondence about them, the reckless imposition of this by the Department of Health in England pushed all of the risks onto the patient and GP. It may be clinically essential for a letter between clinicians about genomics involving family risk to mention that the patient is adopted; but surprise! An entirely benign letter about a child can disclose that an investigation is underway simply by implicit reference to documents a potential abuser can’t see. The Department of Health in England’s view is that ‘This is not our problem’, and they adopt the same approach and attitude time and again – such as with the form that allows anyone to register with a new GP from anywhere, which can be weaponised by abusers.
As time goes on, various “national services” will interpose “national” goals between you and your family doctor, and the care they provide you. Is this really the NHS you want?
Being seen to Respect Patient Choice
The opt out for secondary uses of your health data exists; the opt out for Shared Care Records is a ‘postcode lottery’ – making promises to patients that others in the NHS believe don’t apply to them when they copy the data again and again.
When it comes to data use for purposes beyond your direct care, the Department of Health in England still believes that no opt outs should apply to them, even while saying opt outs that clearly do apply in law are via mechanisms that they simultaneously ignore. No process involving NHS England ‘Privacy, Transparency, and Trust’ (PTT) can be considered trustworthy in the current setup. That’s not to say that every outcome is always wrong – but outcomes are self-evidently incoherent, and disconnected from the processes supposedly creating them.
Even the Tony Blair Institute recognises that the current opt out process is punitive and destructive. medConfidential always said that it should be as easy to opt in as it is to opt out (and vice versa) so we agree on that. While the current process may be used to opt both ways, it’s still punitive – especially if you have dependent children living at home. TBI, however, prefers the intrusive power of the state be used to support its goals – and it is notable that Mr Blair’s proposals for the sale of NHS patients’ data don’t appear to have been implemented in any of the dictatorships he advises.
Claims from TBI and from the Department of Health in England about what Palantir will do for direct care – the care that is delivered by hospitals and GPs, not by centralised computer systems – are completely disconnected from the reality of NHS systems that already exist, and that work, and that are both used well and abused badly. Meanwhile, NHS England has covered up the Data Protection Impact Assessment for its Federated Data Platform, allowing FDP to launch without publication during the (local) election period, because the text says that public claims made previously about FDP being ‘for direct care only’ were abandoned before FDP launch.
The (first) Goldacre Review in 2022 was clear that the risks of the current use and misuse of patient data are an “emergency” – and “not a new emergency” – and yet, as back in the Kelsey years, the Department of Health in England is still hoping things will go wrong on someone else’s watch.
The outgoing Government may have had one success in that Review; the new Government could choose to announce in its first weeks that, retroactive to the date of the election, patients will be able to see in the NHS App – or in the TPP/EMIS apps if NHSE can’t get its act together – a list of when and where every patient’s records have been accessed via all national NHS services.
The list should begin with accesses to your Summary Care Record, your Shared Care Record, to GP Connect, and in FDP – all of which are capable of such audit functions. If it is claimed that any aren’t, then those who commissioned them were either grotequely incompetent or wilfully negligible. The ‘trial period’ could begin with digitally-engaged patients who have prospective access to correspondence enabled already. The new Government could then say that the secrecy ends, and patients would from that point forward have a clear evidence base of how data about them is used, and whether it has been misused.
For a new Government wanting more use of technology and more system access, this would have another significant additional benefit. One of the hardest aspects of such systems is getting clinicians to use them. If every patient can see how data about them has been used, they can also see where these new systems have not been used when they should have been – providing an evidence base and empowering patients to ask why these expensive data systems weren’t used to benefit their care.
Rest of Government: UC, Governments and computers
In the last days of the Parliament, the Administration Committee of the House of Commons said:
“Although statisticians and researchers publish a wealth of information on which data sources they hold, and how they are used, very little information is made available about how personal data are being used for the purposes of government analysis.”
“102. We recommend that the analysis function explore options for improving transparency around the use of personal data in official analyses, and that this work be made publicly available.
(paragraphs 100/102, Public Administration and Constitutional Affairs Committee report on Transforming the UK’s evidence base)
We entirely agree.
If you were to hear the description of a computer system whose users are overpowered by the system designers and operators, which tells users how much money they owe without showing any detail on how that figure was created, where staff working for the system designers can change those figures at will, and when figures change there’s no way for the users to know about it unless they keep their own independent records –and where discrepancies result in prosecutions, sometimes deaths – you might think someone was talking about the Post Office Scandal.
The previous paragraph is also a 100% accurate description of the systems of Universal Credit, about which we recently published Annex 8 and the wrap-up report.
The final section of Annex 8 relates to the rest of Government as much as it does DWP, and we’ve written a short note on what GDS / CDDO / CO should choose to do.
After all, all Governments end.
Enclosed new documents: