Your medical records and the 2019 Election manifestos

At the last Election in 2017, medConfidential had a single, simple request:

Will patients know how their medical records are used?

While the Government seemed to make noises in that direction, it has delivered nothing. For this Election, we reiterated that question and highlighted a number of key issues and commitments that the next Government would have to make around how NHS patients’ data is used and how it buys technology.

So what did the parties all say in their manifestos?

The Brexit Party ‘contract’ says:

“We support investment in medical research and development and will stop the taxpayer being ripped off by pharmaceutical companies.”

And the Green Party manifesto says:

“End the sale of personal data, such as health or tax records, for commercial or other ends.”

While both of these commitments are clear and categorical, they do lack the nuance that bona fide medical research (some of which is funded by and involves commercial interests) is supported by a significant majority of the population – so long as they know about it, and are given a choice – and is generally seen as a positive thing. For a variety of reasons, some will wish to dissent from their data being used for purposes beyond their direct care – millions already have, and their wishes must be respected – but there should clearly still be choices.

In any event, it is a fundamental requirement of any system that wishes to be trusted that every patient should be able to see how their data is used – whatever their choices are, and however those choices are implemented.

The Conservatives, as the current Government, go into a fair bit of detail on a range of topics:

“We will invest in world-class computing and health data systems that can aid research, such as the ground-breaking genetic sequencing carried out at the UK Biobank, Genomics England and the new Accelerating the Detection of Disease project, which has the potential to transform diagnosis and treatment.”

We welcome the (as-yet-unannounced but much needed) reform to the Cancer Registry and other disease registries, which this appears to include. However, there is nothing in the manifesto on the source of the £5 billion of investment that NHSX suggests via ‘PFI for data’.

The Secretary of State for Health’s announcement that every baby will be DNA sequenced at birth was walked back slightly at the time, but keeps coming back.

Carving up the UK health data research space between a bunch of commercial companies might provide short term headlines, but it would be a longer-term catastrophe for public confidence in research. Unfortunately, this is the deal that the Government agreed in September. 

Ongoing “business models” work from the Department of Business, Energy & Industrial Strategy will all be gamed at patients’ expense, as previous arrangements have been, by companies that see being caught evading the rules as nothing more than a cost of doing business. The Government claims to have created “a ‘one strike and you’re out’ situation for any companies that use data, whereby if there is any misuse of data, they will be struck off,” but despite having more than 5 years to do so, those rules have never been implemented – and companies still aren’t being held to them.

“We will improve the use of data, data science and evidence in the process of government.”
It is unclear whether “the process of government” includes using individual-level patient data in policy and funding decisions, as this Government has previously proposed. But, however Government decides to use data, every patient and data subject should be able to see how data about them is used – not least to avoid particular parts of Government losing all sense of priority.

“We will improve the quality of evidence and data within Government about the types of barriers different groups face, ensuring that fairness is at the heart of everything we do.”

This type of monitoring can be done safely and entirely voluntarily; medConfidential will keep a close eye on what is done to ensure that what should happen is what actually does… Collecting data for a particular stated purpose, and using it in that way, is something that good data protection makes easy.

“We will update the Human Rights Act and administrative law to ensure that there is a proper balance between the rights of individuals, our vital national security and effective government. We will ensure that judicial review is available to protect the rights of the individuals against an overbearing state, while ensuring that it is not abused to conduct politics by another means or to create needless delays.”

Judicial Review is vital as a backstop for all the work that medConfidential does. If the Government removes JR so as to ‘improve’ “effective government”, our ability to scrutinise ineffective government will be vastly reduced. Because, clearly, no Government believes it is ineffective…

The Labour manifesto on data is short and clear:

“We will ensure data protection for NHS and patient information, a highly valuable publicly funded resource that can be used for better diagnosis of conditions and for ground-breaking research. We will ensure NHS data is not exploited by international technology and pharmaceutical corporations.”

While not going into details, this represents a distinct change from the current strategy and narrative from Government, seeking to build a ‘life sciences economy’ in partnership with industry – and any step change on ‘exploitation’ will clearly require that patients have information on what is (and isn’t) happening with their data.

Related to this is a commitment highlighted by our friends at the Campaign for Freedom of Information, covering outsourced public services – FoI should of course apply to private providers of public services, just as it does for public providers. Reversing the decision to reject this, taken in the dying days of the previous Prime Minister, represents an easy win for anyone wishing to be seen as different to Theresa May.

The Liberal Democrats – in what looks like an increasingly sycophantic relationship with the dodgiest tech companies – say nothing about data protection law, but instead borrow the commercial framing of “ethics” and roll together all uses of personal data for AI in a way that would be most advantageous to tech companies, and least useful to the NHS:

“Introducing a Lovelace Code of Ethics to ensure the use of personal data and artificial intelligence is unbiased, transparent and accurate, and respects privacy.”

“Giving the Centre for Data Ethics and Innovation the power to ‘call in’ products that appear to breach this Code.”

When it comes to ‘respecting privacy’, it helps to know that the “Centre for Data Ethics and Innovation” is run by one of the people who first started selling hospital medical records – a practice NHS Digital still claims ‘respects privacy’ – that is an ongoing liability for both Government and the NHS – and, it seems, the Lib Dems. (Though we’re sure it sounds good to those offering money or ‘investment’ to get data.)

This, however, is a very welcome statement:

“Empower consumers and ensure that everyone can enjoy the benefits of new technology, by setting a UK-wide target for digital literacy and requiring all products to provide a short, clear version of their terms and conditions, setting out the key facts as they relate to individuals’ data and privacy.”
On the basis that Government should not hold companies to standards that it refuses to meet itself. Although it does remain to be seen whether this standard is meaningful in practice.


The word “ethics” fails to appear even once in the Conservative manifesto – but perhaps the Lib Dems declaring victory for CDEI, and giving all its influence to others, is the best outcome for that particularly policy cul-de-sac. For those who wish to delve more deeply, Chris Pounder has written a thorough data protection and human rights view of the UK  manifestos.

It is notable that in choosing to name their new ‘Code’ in their manifesto, the Lib Dems have made the Ada Lovelace Institute the primary author and clear public moral arbiter of any such Code and its implementation. Whether the Lovelace Institute will survive the tension that would create between the financial objectives of the parent Foundation and its fundraisers remains unclear – but, unless the status quo improves, this will likely break both sides. Not to mention to potential fallout onto the currently internationally-respected Nuffield Council of Bioethics.

(The pairing of ALI and CDEI suggests the latter is but a temporary phenomenon – intended mostly to help create the structures in Government needed for those in power to have the conversations with independent and trustworthy data institutions (ODI, ALI, LCFI, etc.) that they want to happen in the longer term. ‘Calling in’ products is meaningless, as CDEI has no powers over what happens when a product breaches any ‘Code’ – a function that would be far better served by existing NGOs, and through engagement with statutory regulators. In practice, what is the point of CDEI beyond a figleaf for creeps?)

The Conservative manifesto hints at 2, which is due by March, coinciding with other changes that will require legislation. The current Government wants £5 billion of ‘investment’ in NHS data; Treasury aren’t willing to pay for it; and the CEO of NHSX believes that the American tech companies will do the work – if they get the GP data too, and get to sell what they learn back to the NHS (with everyone paying over and over again for knowledge currently freely available to the NHS). 

In practice, the law remains that patients have choices about the ways that data about them is used, and it remains true that it is increasingly untenable for medConfidential to be the only place you can easily see where your medical records go.