carry on Creeping, by NHS England

Ministers promised you’d control your data. The Health Bill and NHS England say otherwise

NHS England is in denial. Story after story after story of NHS staff creeping on patients and victims, the Chief Exec of NHS England has decided the problem is only in hospitals and national systems have no ability or responsibility on access.

It is as if Sir Jim Mackey and his staff, the Secretary of State and the DHSC policy leadership, have looked at the series of abuses, and said the problem is not the coverup but the response to the failed coverup – make the response better but cover up the abuses better too. But there’s a slide so NHSE can claim they did something:

It was only because evidence of the creeping got into the hands of the patient victims that the accesses were shown to be illegitimate. And illegal. And NHS England have decided that patients should remain in the dark when NHS England runs the systems facilitating abuse – NHS England claim their Federated Data Platform can show a patient who has gone creeping, and they refuse to show patients. Maybe that culture of coverup that’s why NHS England is being abolished, but it’s not like abolition is going to help.

Ministers are responsible for the coverup

Hansard records that Ministers have reassured patients and the public about unethical and illegal access to their medical records, saying: [ emphasis added ]

“A receptionist might meet someone at a party, then go back to the practice and try to gain access to the person’s records. I am informed, and I believe, that access rights will not enable those who are not involved in the provision of care to see records. Unauthorised access will be marked on the system, and therefore subject to audit. That is one of the opportunities granted to us by an electronic system.

We have provided the most stringent safeguards for security and confidentiality. We hope that anyone who is concerned about information will be reassured by them. The new system will allow patients to determine whether information recorded in one organisation can be seen elsewhere in the NHS: it will be their choice. Even when patients permit such access, only those involved in their care will have access to their records or to information that identifies them, and they will see only the parts of the record that are needed to inform care. That answers some of the hon. Gentleman’s points about the whole health record, and about the possibility that some people might have access to information that was not appropriate. The system is designed to tackle that. Everyone who may have access will be authorised appropriately, and will need a smart card as well as a password. Crucially, the system will register the identity of everyone who looks at the records. That is important as a safeguard and as an audit trail.

Those statements aren’t about the new Single Palantir Record, however – they are about the Summary Care Record in 2005. (To be clear: the SCR does what the new SPR will do, and the SCR is partially the framework on which SPR will start.)

The NHS never delivered on what Ministers said 20 years ago, and without meaningful protections on the face of this new Health Bill, that pattern is going to repeat again now.

Last week, Ministers promised even less than in 2005, saying: [ emphasis added ]

“…applying advanced cloud-based audit and oversight capabilities, enabling near real-time monitoring of system access and detection of unusual or inappropriate patterns. That will allow NHS security teams to track and detect access patterns, and to quickly intervene if specific records are accessed by staff who have no clinical relationship with the patient in question.”

An audit trail registering the identity of everyone who looks at patients’ records, which supposedly “marked” unauthorised access, failed to prevent 20 years of creeping. And now we are told there’ll be “cloud-based” tracking of “patterns”. In the face of widespread illegal access – only a proportion of which ever come to light – Ministers still refuse to promise that patients, i.e the only people who will know for sure that an access is inappropriate, will see the audit trail of when and where their records were accessed.

“NHS security teams” aren’t a real thing for most patients. It’s like saying the bouncer at A&E on a Saturday night will protect your records from being accessed any time, anywhere else. In reality, the NHS has no way to know whether you walked into the pharmacy that accessed your Single Palantir Record – containing all of your diagnoses, notes and prescriptions, and the “summary” of all of the most sensitive details of your life, in order to “avoid having to tell your story” to different clinicians (or so the spin goes).

As a relentless series of revelations keep showing, the NHS is entirely blind to these abuses. And it will continue to do nothing about them as the Single Palantir Record, “essentially a repository for the story of people’s lives”, widens access to your records even further.

Ministers argue their actions have no possible negative consequences. After 20 years of evidence to the contrary, they are either being utterly disingenuous or wilfully ignorant. And their argument is even less credible because of the way the Health Bill changes who controls what data in hospitals. 

Today, if a hospital notices that its records have been accessed in a questionable way, the hospital considers itself the victim, because it is the responsible actor under data protection and employment law. But the hospital investigates itself – hence coverups – because it is the data controller. 

Under the Single Patient Record, the hospital will no longer be the data controller and will only have responsibility for its staff. And Ministers won’t want to know about the abuses for which they will be responsible, which this Bill does nothing to prevent.

If GPs are to be data controllers for the information in the Single Patient Record, then your GP will be the one who is responsible for auditing access to your record. But GPs aren’t being provided with any mechanism to do this, so GPs and patients will be forced to rely on those most incentivised to cover it all up – the employer of the perpetrators. (Things will get even worse when GPs’ control of their patients’ data is eliminated, when the Secretary of State eventually announces that GP data will be copied into the Single Palantir Record, and not accessed at source as needed.)

Government has seen the abuses of Southport, Nottingham, Cambridge (multiple times), and more, and has decided that the status quo “safeguards” are making bad headlines, so must be reduced. They won’t even share a draft of the Regulations, which suggests they are toothless.


To use the analogy discussed in Committee, should a doctor in Dover look up the records of Andy from Manchester, it would entirely depend upon which Andy as to whether that access ever got checked. (Maybe that Andy did have a pressing need for GP, Ambulance or Pharmacy First while on a walkabout – the NHS simply doesn’t know and NHS England didn’t bother to communicate with any of them on what it sent to hospital CEOs – guidance which allows the hospital to continue to cover up abuses

Any Andy can walk into any pharmacy or front line service anywhere in the country, and the NHS can have no idea whether they actually did, or whether someone just went creeping. The only person who can know for sure whether any particular access needs investigation is the patient.   Indeed, if a patient has concerns, NHS England guidance is that they should  ask every Pharmacy in the country whether their record has been accessed and whether the Pharmacy thinks that was appropriate – the patient gets no information whatsoever. 

Access to patients’ records is being widened, and the demonstrably inadequate protections are unchanged – in effect they’ll be narrowed, given they’ll be known in advance. There’ll be no meaningful protections in the Single Patient Record unless you’re a high profile individual capable of getting the attention of what the Minister pretends are “NHS security teams”. 

The Princess of Wales has armed guards. You shouldn’t need them to know your medical notes are secure.

Ministerial intent

When Mr Streeting spoke in the House of Commons debate, he said:

“Our health, our data, our NHS—patients should control who can access their data, and they should control their own data.”

Even if Mr Streeting’s intent was honest – and it probably was – it is not delivered by the text of the Bill.

Those undertakings were absent in Committee, and they are not what the surviving Ministers have said will happen. Indeed, after Mr Streeting resigned, Ministers have walked back that commitment – if DH officials ever really considered it. According to the text of the current Bill, patients will not control who can access their own data, and they will not control their own data.

If promises about privacy, access and patient control aren’t on the face of the Bill, they will be watered down in future.

While the Minister said “Members from across the House have asked how those safeguards will be built into how the system is designed and operated, which is what we are doing”, what they are doing will still allow creeps and ghouls to stalk terrorism victims or their neighbours – and patients will have no way to know anything about it. 

The fact that a patient is in a hospital does not mean that anyone in the hospital should be able to just take a look, but in practice they can.

When Ministers say data access will be “only for the right reason”, they are stating an intent not a constraint. The patient won’t get to determine the reason, and there’ll be no meaningful constraint unless patients are given access to evidence that means any complaint they make is taken seriously. Without a patient-visible audit trail of access to their records via the NHS app, then that threshold won’t be met unless you’re a high profile victim (and those who creep on you regularly do so again).

Because the draft Regulations have not been published, it’s impossible to know when Ministers say “that is what we are doing” that what they say matches what the former Secretary of State said – or whether what they’re doing will continue to enable creeps, as has been happening for the past two decades.

Patients are being required to trust that the Singe Palantir Record will work in their interest – a terrible place for a new Government to start from. The new Government must give patients a way to see that promises made are what is being delivered.

To be trustworthy, an audit trail must cover everything

Ministers parrot US company Palantir Inc’s assertions that Palantir has audit capabilities that others don’t – but if those capabilities are unavailable to patients, they may as well not exist.

Contrary to what Palantir may believe, “audit” means revealing everything that happened with your health records, not just the things that the NHS would like you to know about.

The Single Patient Record is caught up in political spin, and the Single Palantir Record is something entirely different than what’s being promised – benefitting the creeps, ghouls and Palantir, and creating an even more murky situation for patients, who will be forced by this Bill to accept whatever Ministers and Palantir choose to give them.

==

Find out what happens next: Sign up for our newsletter (we don’t email often) or get small frequent updates via Substack — free to follow, and we are grateful to all those who can donate to help more of this work.