NHS England has sided with creeps against their victims (again)

As Labour discovered, the Department of Health in England will conjure reasons to reject something they don’t want to do by only speaking to those who will agree with them.  

Buried in the National Data Guardian annual report is the outcome of some work by the Department of Health in England on whether to tell users when their GP records accessed for direct care from hospitals and other care settings – they’ve decided not to do it. DH/E never talked to us about this work on a topic we’ve been working on for the last decade. 

If you listened to Wes Streeting’s speeches, you’d be forgiven for hearing that anyone reading your GP record from outside your GP was impossible. In practice, it’s routine.

Summary Care Records, Shared Care Records, and GP Connect all already exist, and are used to help people most of the time, but are also abused by creepy single doctors to look up the records of women they want to go on dates with, or used by stalkers to read what their victims told their doctors about their fears and health conditions – that last link being the first time we’ve seen a disciplinary hearing cover these topics. The doctor was struck off. 

Item 6.7.4 of the NDG annual report tells you why the Department of Health in England chose to do nothing – it shows DH/E looked at telling users when/where their GP records are accessed for direct care today, and decided protecting patients from creeps employed in the NHS is too “technically and legally” complex. What that means in practice is DH/E would have to cooperate with GPs to show patients where/when DH/E had facilitated abusive access to GP records, and DH/E has decided it doesn’t want to. DH/E has legal responsibility for those abusive access, and has decided that the best way to behave is to keep secret from you the evidence of how your record has been abused, so you can’t complain because you don’t know, and GPs can’t hold DH/E to their agreement because they don’t know. The NDG says her “observations” are that it’s humans using systems in ways they can and which no patient can easily detect.

You can carry on reading into section 6.8 and mentally substitute the various NHS bodies/roles with “Met Police” equivalents from the Sarah Everard case, or the many many other cases where institution denial reigned supreme and innocent women paid the price. How many ghouls have looked up the GP records of victims of crime? No one will ever know because, like the police (until recently?), DH/E has sided with the perpetrators they employ against the victims.

The Department of Health in England is aware of the benefits (to them) of sustaining that ignorance, as item 6.8 of the NDG annual report says the view of DH/E and the NDG on how to resolve it is that: “the public need to be assured that deterrents and sanctions against improper use are meaningful and effective to deter such abuses occurring” (but when they do occur they’ll be covered up so occurrences can be dismissed as rare – which makes the defence rather pathetic). Most victims do not have the evidence to make a legal complaint, and without prior police involvement that evidence will not be made available to them.

The Department of Health in England insists on marking its own homework on access by creeps, but it has so little confidence in its own efforts it will never tell you the truth about the results. As NDG says “bad actors can and do significantly undermine public trust”, but it is the facilitation of the coverup that is the systemic flaw that undermines all honest police officers NHS staff. Individual bad actors will always try to undermine trust, but when guardians institutionalise a conspiracy of silence over bad actions, then the bad actors are seen to embody bad institutions.

In other entirely expected acts of duplicity and secrecy, while NHS England has previously said it would publish the Data Protection Impact Assessments for all parts of the Palantir procurement and all the “use cases” in the Federated Data Platform, they haven’t. The “Privacy Enhancing Technologies” contract has no published DPIA, and the use cases are all being withheld so the Department of Health in England doesn’t have to explain why what they do is different to what they said they would do – coverup is the norm.

DH/E sides with creeps and abusers because that gives them a quiet life, not hearing from anyone that might challenge their decisions to do nothing. (That culture repeats with the proposed reuse of “pandemic only” data governance for non-pandemic uses merely because DH/E don’t want to have the short conversation about doing it properly when they think they can just do whatever they dictate instead).

The new government’s “vision” for their time in Government is to take ownership of all your medical records, including all your written notes, make them all available to creepy single doctors anywhere the NHS logo is seen, to feed them to AIs, and to sell them for economic growth. Inspired by the chatGPT output of the Blair Institute, Wes Streeting’s position is you’ll have no choices in any part of that, and they might even keep secret from you whether it’s happening.

Merry Christmas from medConfidential and best wishes for 2025. We’ll be here.