Author Archives: medcon

Good TREs Work

Each December we look at the year’s progress towards telling patients how data about them is used (from 2014 2020).

Good TREs Work, and good Trusted Research Environments are working. The remaining hold-outs are those whose ideology requires data to be copied in the shadows, avoiding both transparency and accountability.

All dissemination of linked patient-level data is unsafe, but some is self-evidently more dangerous than others – such as organisations receiving the same data for the same people for the same month, one set with opt-outs applied and one without opt-outs applied. We have ‘red flagged’ such organisations on TheySoldItAnyway.com, and they should be required to use the TRE for all future projects that need data each month.

Data recipients like these pose an unjustifiably high, systemic risk – especially when it has been shown that Good TREs Work.

2021, and what’s next? 

GP Data for Planning and Research (GPDPR) collection is paused until NHS Digital’s TRE is working for all GP data, which it is not yet in a position to deliver. While Good TREs Work, NHS Digital has not yet delivered a TRE which is as good for everyone as the Secretary of State has committed them to doing – and as NHS England is actively undermining it from doing.

GP data cannot be collected until access is TRE-only, and there’s still quite some way to go on that. We would include details of how long that is likely to be, but NHS Digital does not publish the data that would allow that figure to be worked out.

The Goldacre Review should have been out by now – it is still due ‘soon’ – and in data terms it is expected to be largely uncontroversial. The handling practices of both GP and Hospital data have been dangerous for decades, but they can and must be reformed.

Hopefully NHSX, NHSD and NHSE will finally recognise that danger, and what the 2021 ICO Code of Practice on Data Sharing, (UK) GDPR and the 2018 Data Protection Act all say – that dissemination of highly detailed, sensitive personal data on the entire population of England can result in re-identification, including through the event dates that are entirely unprotected in the datasets. Continued denial of this danger will result in NHS patients being identified, as happened in Australia

For 2022, we have updated the data usage report mock-up we first drafted in 2014

The most noticeable changes in the report are the organisational names and logos, but the principles of consensual, safe, and transparent data handling remain. All data handling by NHS bodies could be transparent, and the data uses register format NHS Digital moved to in 2021 is an improvement – but bodies like NHS England, for example, still choose not to say how its COVID-19 Data Store was helpful in the pandemic.

With only twenty projects admitted to by NHSE, the panoply of missteps that occurred in the pandemic seems less surprising – if no less shocking – and there’s no published evidence of any value in Palantir Foundry at all. (We go into more detail on this in the available next steps to Data Usage Reports (2021).)

AI and data governance

As AI moves out of DHSC and the civil service into the “real” NHS, it will have to justify the budget and resources it has been given. Though there is a point in time in the history of everything that works when it didn’t work, there is never a point at which those things that don’t work did, no matter how much money was spent.

The AI strategy will re-emerge at some point, and NHS England will get to reconsider it. Our straightforward advice is this: one third the length, one third the budget, and three times the vision. Under NHSX, things have gone in the opposite direction…

DHSC and corporate interests are not the same as doctor’s interests or patient interests. Not even close. Recognising the AI advisory and former No10 Chief of Staff’s view of international agreements – that subterfuge and double-dealing are legitimate between parties – every supplier to the NHS should be required to provide a “datasheet for datasets” for every dataset it was trained on (and to check all the IG) so as to stop ‘data shortcuts’ being profitable.

Public and professional unease around both genomic data and AI is not limited to data governance. That Genomics England handles data safely does not eliminate concerns around how it may be used, e.g. for newborn baby screening. Just because something can be done with data, and can even be done safely, does not mean that it should be done at all.

COPI renewal – choosing a better timing cycle

COPI remains in force, and it is unlikely that DHSC will be able to make a good decision on renewal in any February or August. The March and September dates are simply a legacy of when the pandemic started and a 6-month renewal. This being the case, if HMG believes the pandemic really is ending, the next COPI extension should be for just three months – which would also put things onto a more reasonable cycle of making decisions before and after winter, not in the middle of it, should another variant emerge. 

Will they ever learn?

In the context of the Government’s “new direction” on data that will make it harder for people to understand what is being done with their data, and easier for companies and authorities to use it beyond people’s expectations, NHS England’s hostile takeover of NHS Digital means all of these risks and responsibilities will become theirs.

The public may have been generally confused by who and what NHS Digital is – a symptom of what the Wade-Gery Review referred to as ‘split responsibilities’ and a ‘fragmented’ landscape – but everyone can understand that the institution Directed by Government that is NHS England is neither your doctor’s friend, nor yours.

In 2014, NHS England blamed the Health and Social Care Information Centre for its own care.data debacle, requiring HSCIC to cede more control, have an NHS England Board chair, and an organisational rename to NHS Digital – which is precisely who NHS England and NHSX (i.e. NHSE + DHSC) now blame for the collapse of GPDPR in the summer of 2021, a programme over which they had final say. Clearly no-one learned the lesson the architect of care.data was forced to, seven years ago: “We do not subscribe to artificial deadlines here – we will roll it out nationally only when we are sure the process is right.”

DHSC’s commitment to TRE-only can be delivered, and NHS Digital has started to deliver it – with 125+ organisations using some form of NHS Digital “system access”, according to its release register.

Trust requires transparency

The risks and issues around Hospital data and those of GP data are by and large the same. And in medConfidential’s dealings with NHS Digital / HSCIC over the past decade it has always been clear that hoped-for improvement was not just possible but eminently feasible. Yet, despite this, progress towards a TRE for all secondary uses of patients’ data and personalised data usage reports for each patient has been minimal, at best in only minor increments. 

Lack of progress has in large part been due to DHSC disinterest, lack of adequate resourcing, and the outright intransigence and active kneecapping of positive intentions by NHS England. The evasions and lack of transparency around NHS England’s COVID-19 Data Store only highlights its culture of secrecy and contempt, suggesting a new corporate attitude and approach will be absolutely essential should NHS England come to govern all patient data in the English NHS. 

NHS England’s fear of transparency and accountability are not necessarily irrational, however. Senior officials know what they and their NHS England colleagues already do with data, and clearly believe it would not stand up to public scrutiny – issues that Baroness Harding will know from experience have very real consequences. Is it really true that during the entire pandemic, with the unprecedented amount of health data it hoovered up under extraordinary powers, only 20 projects used the tens of millions of NHS patients’ data in NHS England’s COVID-19 Data Store? 

If it persists in the absence of good governance that characterises its handling of our data, and with its favoured scapegoat no longer available to blame, NHS England may in the next act be exposed as the true cause for data despair.


Enc:

ONS analogies with NHS Digital datasets

Data Usage Report (2021) example

Available next steps for Data Usage Reporting (2021)

GOV.UK’s Black App: and in the darkness (Departments) bind them…

When DHSC specified the NHS App’s features, it was was a near-certainty that GDS would (eventually) copy the game plan: a cross-GOV.UK app – a webview onto existing GOV.UK information and services – being almost inevitable due to the machinations, and lack thereof, by Whitehall Departments.

NHS and gov.uk app logos

Unsurprisingly, in the closing weeks of a spending review, with new digital management, and after a crisis in which such an app probably wouldn’t have made much difference, but in a world where HMG wants to own vaccine certificates, and NHSX(etc) very much wishes not to, the GOV.UK ‘black’ app was announced.

The approach being taken will in all likelihood dissolve the ‘hard boundary’ between the NHS and government – but, of course, do nothing to actually help social care where that boundary is already blurry…

A GOV.UK app won’t provide anything an online GOV.UK service doesn’t do already – or will do, by the time you are ‘nudged’ to use it – but it will give the Cabinet Office new and greater powers over other Departmental services. And with these new powers will come (some) new responsibilities, such as for the hostile decisions Departments make in their own narrow interests (which our work elsewhere has found widely: e.g. 1A, 2A, 4D, 4E, 5E, 5J, 5L).

On the one hand, GDS’s excuse of “It’s not our service” will cease to be sustainable; on the other, the “One Login” for the (whole of) GOV.UK will give it a stick with which to rein in the worst of the Home Office / DWP digital divide…

Will the dark arts permeate the Black App? And since the answer is yes, where?

Cross-service tracking and analytics

The introduction of cross-service tracking and web analytics will allow unprecedented monitoring and investigation of causality and consequences, such as:

  • Does being sanctioned cause you to look up food banks?
  • How many people do that in the app each week?

Even if it chooses not to publish the statistics – as it really should for public services, paid for by public money, serving members of the public – civil society will be able to FOI official Government analytics to show how harmful a policy is, down to specific constituency level…

Also, when one service accessed via the Black App asks about a vulnerability, and when there is a ‘single view of Government’ via the app, will the legal position be that “all” of Government should then know about it?

  • Will DVLA be permitted to maintain institutional ignorance?
  • Will DWP?
  • What about where one Department accepts a UK resident is a victim of modern slavery, but another Department on the next screen refuses to believe it?
  • What about Settled Status

Where will the balance of benefits between the citizen and state lie?

As Richard Pope highlighted in his investigation of the systems of Universal Credit, “are the advantages of digitisation being shared fairly”, or will Government’s focus on automation once again prioritise its own ‘efficiencies’ over those of the public – offering no substantive benefit to citizens beyond “Look, it’s an app!”.

User-hostile design choices

Typical of the world view of many we deal with, Home Office front line officers have demanded to see the e-mail that the Home Office itself sends out about Settled Status as “proof” of people’s Settled Status. Yet that e-mail clearly states that it and the letter attached to it are not proof of status.

We revisited the Settled Status scheme, where refusal to provide offline alternatives to a ‘digital first’ service is causing widespread difficulties, distress and discrimination – which could be avoided by something as simple as recognising paper credentials, which is the way Home Office officials appear to be treating the letter from Home Office in any case. Initiatives such as the ‘COVID Pass’ in the NHS App have demonstrated it is entirely feasible to provide a signed credential for people to hold on their phone at high volume events.

Of course, such user-hostile choices are not just made by the Home Office but across Government.

Those who encounter the greatest burden in one place will face it in many (Annex 2 and 2A). At some point, someone will have justified adding each one of the different procedural burdens that we list in Annex 5; sometimes those justifications may even have made sense. But some of those justifications will have included a Departmental assumption that it is the role and function of citizens and service users to satisfy the whims of the Department…

That those who encounter the greatest burden in one place face it in many is one reason we focused on parents of newborns in Annex 7: “Baby then bureaucracy – the paperwork of new parenthood”, where one would think (or at least hope!) that the policy intent would be closer to, “We’re keen to help, we just need to check a few things first”.

The choice of permissions for Geolocation

While many are accustomed to using them in their daily lives, apps introduce scope for unprecedented levels of surveillance. One of the things a permanently-installed app on your phone can do that a web page cannot do is permanent geolocation. While it’s impossible for a web page to track your location (‘with permission’, of course) when it is not open; an app can do so. 

Our work on UC shows DWP will use any form of algorithmic cruelty it can find. Requiring UC claimants to submit to permanent geolocation is exactly the type of thing DWP would demand, and keep demanding, until it got permission. Could the Central Digital and Data Office and GDS, as a split leadership, reject those demands? (Noting the Home Office will probably find a reason to access geolocation too…)

In response to COVID-19, DWP figured out that the easiest option for DWP is to treat claimants like hostage takers and demand ‘proof-of-life’, with selfies holding up newspapers. 

As an aside, when the postcode centroid algorithm (and the errors therein) is compared with the GPS location (and the errors therein), who will suffer? UC would rather punish claimants than admit systemic failings.

For these and many other reasons, prior to launch, GDS must therefore explicitly ban any geolocation that isn’t on an “allow once while using the app” basis and for platforms without that as an option, GDS must design and implement a best-quality user journey which takes the user via their system web-browser to perform a one-time location and then return them and the single-use coordinates to the app

Departments may be even less accountable for user hostile decisions than facebook or youtube, as the view of the Government’s internal ‘Fraud Profession’ is that citizen requests are frauds until proven otherwise, beyond doubt – and that the civil service never makes an error, until proven otherwise beyond a reasonable doubt. (And for the latter, such investigations rarely take place.)

The use of devices and device services to exploit users by underhand means in pursuit of power and profit has been led by Facebook. Unfortunately, unless abusive techniques are explicitly forbidden, Home Office and DWP acolytes will most likely see the ‘ingenuity’ of Facebook’s engineers as a playbook, and a feature list – not a recognition of the moral decrepitude of their monster factories.

Civil Service silos 

That DWP is forced to accept a GOV.UK Account for Single Sign On via the Black App means it will also have to accept it via the main UC website – both because the app is at its core just a view onto a web page, and because it would be untenable to force people to only ever use the app if they first used the app.

As soon as the Black App is launched, absent formal monitoring and enforcement otherwise, any Department will be able to exploit the full range of sensors in any device on which it is installed. The delegated nature of services means the Home Office, DWP, et al. do not and will not need to ask for central permission; what the web view does will be entirely within their control, especially on Android where protections are weaker. 

Meeting whose needs?

An app satisfies the CDO / CDDO / CDIO / CDEI / EIEIO / etc. need for the perception of institutional simplicity. Commentary on Twitter suggests at least some civil servants have read ‘Seeing Like a State’, which illustrates and explains how Governments do things because they make Government’s job easier, rather than necessarily helping the people they claim to serve.

In this context, Zacka’s ‘When the State meets the Street’ should also be required reading, as the business GDS is getting into with the Black App is front line service delivery for all of Government, at a level far deeper than just “meet user needs*”. 

In terms of needs, both individual and institutional, and given so much time in public services is taken up by complex cases – those with past traumas causing current difficulties – what would a trauma-informed interface look like?

It’s unlikely to appear in the Black App, but it could well do somewhere else…



For more detail and background, see our core report, ‘Decoding the Algorithm and Data Choices in DWP’s Monster Factory’ and complete list of Annexes – of which these are most relevant:

medConfidential Bulletin – 23rd July 2021

If you asked NHS Digital for opt-out forms and the forms didn’t show up, or took ages to arrive, people tell us that happened a lot. You can get forms from us here.

We’d like to be able to tell you that you will have more information on the ‘GPDPR’ data scheme in the future than you have today – but, as you’ll see below, that’s not a promise the Government was willing to make

What just happened

The GP data grab has now been paused for longer than patients were originally given to opt out. This week it has been delayed for a lot longer, almost certainly into 2022. You can read our situation report from 13th July which predicted what would happen, and what is still left to happen. But whenever the scheme restarts, there’s still no promise from Government that you’ll hear anything about it directly.

When medConfidential gave evidence in Parliament on Tuesday, the Government could have committed that you would hear something from the NHS. Instead, the Minister ducked the one remaining big question, leaving the suggestion hanging that the only way you’d hear about it is from medConfidential.

They have tried that approach twice so far – first in 2014, and now in 2021 – and it has failed both times. Not to write to everyone a third time would be a textbook example of doing the same thing over and over again, somehow expecting a different result.

In his last act before becoming mired in scandal, Matt Hancock announced that GP data would only be used in a Trusted Research Environment – we hope this is true. (Similar was said in 2014, but never delivered.) This time, however, all of the examples given were agreed to be dangerous, and all of the examples were from hospital data

The Health and Care Bill that’s now working its way through Parliament does nothing to address this. So, through the rest of the year, there’ll be discussions about the Health and Care Bill, and probably some (late? sneaky?) amendments that affect patients’ data…

What’s next

There will no doubt be a series of sessions in ‘smoke-filled back rooms’, where there’ll be any amount of intense lobbying to water down promises to patients – which is the most likely reason the Government won’t commit now to telling you what it will do, in a letter, when it’s been done.

There is good reason to be sceptical that the promise for Trusted Research Environments (TRE) will be delivered. The “national institute for health data science” refuses to tell us how much money it has spent on its TRE attempts – largely because the only thing it has to show for those attempts appears to be the prize it awarded to its contractors. That team delivered nothing useful for researchers, but got a prize. We have no idea how many millions were wasted, but we will find out.

Many will have heard about the opioid epidemic in the US, where a Pharma company encouraged its sales teams to pay as many doctors as they could to prescribe as many painkillers as they could, disregarding any harms to patients or the public. The details of that scandal are now in a book, and the legal case was settled earlier this month – one of the outcomes being that billions of documents will be made available for public research


One question we may therefore be able to research definitively is the effect of ‘pharmaceutical marketing’ in the US, and possibly beyond – noting that NHS Digital not only makes patients’ data available to third parties (and fourth parties too, via intermediaries) for just such purposes, but also some prescribing data, which the NHS isn’t allowed to let others analyse…

It will be interesting to see how issues like this, which have been brushed under the carpet for years, play out in coming months.

What can you do?

Keep spreading the word! The Minister wrote to GPs but, once again, no-one thought how to inform patients of what’s going on. And GP data extraction is still going to happen, albeit not in quite such a rush.

Promises have been made, but are yet to be delivered – much less be seen to be delivered – so, if people do have concerns, their best option at this point is still to opt out. If and when their concerns are addressed, they can always opt back in.

Other than that, we hope you are able to get both jabs, to enjoy the summer, and that you don’t catch and won’t spread COVID. That the politicians seem to be doing their level best to screw things up doesn’t mean we can’t all get through this, together.

medConfidential Bulletin, 11th June 2021

Hello to all of our new newsletter readers – a lot of people have joined in the last week.

medConfidential only sends out a newsletter when there is something worth saying. There might be a few more of them over the next few months…

What just happened?

On 12 May, NHS Digital quietly announced there would be a new GP data collection, known as ‘GP Data for Planning and Research’, ‘GPDPR’ – or the #GPdataGrab, for clarity. 

NHS Digital and the Secretary of State, who on 6th April had Directed NHS Digital to run the scheme, hoped no-one would notice.

Matt Green did a very good, and funny, explainer of what it was they were planning, which you can also watch (or share) on YouTube:

https://www.youtube.com/watch?v=QqZXH0CJYcM (the deadline date has since changed)

Because it was rushed out, all sorts of issues were missed. Just one being that if you are pregnant, there’s no guidance on what to do for the GP data of babies born shortly after the deadline; there is no digital process for unborn children…

And then, less than a month later – after a media firestorm, a bunch of contradictions and corrections, and huge public outcry – the programme got paused.

Here’s just a sample of some of the media coverage:

Just yesterday, NHS Digital confirmed that its Data Protection Impact Assessment (DPIA) for GPDPR is still not in a publishable state, suggesting that fundamental contradictions within the programme have not been resolved. The DPIA being the one document where everyone has to write down what it is that the programme actually does, why, and the consequences – i.e the ‘impacts’. So, of course, any contradictions become obvious.

The GP data grab programme was clearly not ready, and is still not ready – and looks like it cannot be ready by the 1st September. (At least…)

What’s the new deadline?

Originally, the GPDPR scheme had no official opt-out forms. medConfidential said we would publicise ours (including our logo) and so they created one. As a result, the Government and the GP Profession agreed that it could take up to a week for a GP practice to process their patients’ opt-out forms – they are rather busy at present! – and the 23rd June deadline date was written into a document, one week before the 1st July start (i.e. data upload) date. 

That ‘time lag’ applies equally to any new start date, which is now (no earlier than) 1st September. The September date was entirely up to the Government, and did not need to be agreed with anyone. So Ministers could announce the new start date.

But any deadline has to be agreed with the GPs.

And it is notable that the Government, hiding behind NHS Digital, “wasn’t able to specify” officially what the new deadline is. Ministers and civil servants have calendars like you and us, so they could work it out – but the Government can only announce those actions the GPs have agreed to.

That, at the time of writing, NHS Digital appears to be prohibited from saying exactly when the new deadline is suggests that far more substantive changes to the GP data programme are coming than the Government is currently willing to say.

Having said that, the deadline for opting out to your GP practice relates to the processing time it takes your GP – something that is not within the power of the Government to arbitrarily shorten. (Though it could be made longer, by extending the 1st September arbitrary date; an “artificial deadline” for protecting your GP data.) 

Of course, the correct sequence of actions and deadlines is that no GP agrees to any upload of their patients’ data until each patient has been notified; that patients have been given the opportunity to make a choice, and the information and forms they need, and that those choices have been processed. 

This may be why NHS Digital cannot say what the opt-out deadline is, because it has more work to do on its communications and the opt-out process – especially for dependant children – a process which will likely take months, not days.

Since the Department of Health (DHSC) can’t even announce a deadline that is based simply on being able to read a calendar, medConfidential currently has little expectation that the GPDPR programme will start in 2021. In all likelihood, and as with the previous attempt in 2014, this new GP data scheme will likely drag on until it gets fully reset by the next Secretary of State for Health. 

Of course, we can’t afford to be complacent; we do have a Secretary of State in office who believes in data over everything else. (Apart from start dates, apparently…)

What should be next?

The letter from research funders, “Patient data must be safeguarded”, should still have applied this week – but it seems some on the Euston Road have slid backwards in their approach.

One narrow idea from some within the research community is to try to win a “research boffins vs privacy people” argument. That framing is eternally unstable; whoever is winning that argument this month doesn’t matter, because someone else will be winning it next month. 

Any stable and sustainable patient data programme must take a “research boffins and privacy people” approach – with everyone in the same room, working towards a goal that everyone can stand behind. 


We see no sign of that happening.

The best way for uses of data to be sustainable and trustworthy is for patients and the public to be informed about what data is used and how, what your choices are, and to have safeguards and governance that is both effective (with no loopholes) and seen to be effective – so individual patients and the public at large can have confidence in how the NHS uses data about them.

What can you do?

Spread the word, and please share this link to our ‘How to opt out’ page:

This battle is far from over.

There is still a lot of confusion – even medConfidential is being accused of ‘misinformation’! – though we do our best to always present a clear and accurate picture, and link to the evidence, about an unnecessarily overcomplicated process that is being hustled through by the Government while we are still in a pandemic.

Please do not panic, keep yourself informed. We will send further updates when we know something has changed. And be aware that this is going to run into ‘silly season’ in August, in a year when everyone really deserves a break – or, at the very least, a staycation.

Thank you to all those who have given us support. We really appreciate it, especially right now.

And you can be confident that we will be here when they try again! 

Let us tell you about the massive new GP data grab the Government would rather you didn’t hear about…

The countdown has already begun. The Government’s plan is to copy your entire GP medical history – including all the most sensitive parts – and make it available for third parties to apply for and buy access. Even though Matt Hancock Directed it to happen he’s not going to tell anyone about it. Neither will Boris. 

Details are still a bit sketchy; critical documents like the programme’s Data Protection Impact Assessment aren’t written published yet, and some of wha’s being said to patients seems… contradictory. The promise that “you can opt out at any time”, for example, doesn’t fit with the fact that once your data has been copied, it will never be deleted. 

We will provide more information as it emerges, but for now…

If you’re wondering why you haven’t heard about this, it’s because they haven’t told you! The Government are playing the odds that you, your family and your friends and colleagues won’t have noticed some information they buried on a website, or the handful of tweets they’ve made.

While you can opt out, they’ve made it deliberately confusing and difficult. Unlike the single form medConfidential provided at the beginning of the previous attempted GP data grab in 2014, you must now use several:

  • The most important one is the ‘Type 1’ opt-out form – this is the only opt-out that will prevent your GP data being copied to NHS Digital, and then onwards. If you haven’t done so already, you need to fill one in and send it to your GP practice within the next six weeks. (If you opt out after 30 June, your GP data could be copied from your practice at any point and, once copied, it will never be deleted.)
  • If you opted out from care.data in 2014, your opt-out will still be valid. Your own GP practice may still be using a form from that period, but it is completely different from the ‘National Data Opt-out’, which used to be called a ‘Type 2’ opt-out. Bottom line, if you opted out of care.data in 2014, you should be OK for now.
  • The National Data Opt-out, introduced in 2018, limits NHS Digital from selling access to some of your data in some circumstances. (They still sell it 85% of the time.) This opt-out process is supposedly ‘digital first’ but in 2021, for people and families with dependents, NHS Digital’s process still involved multiple PDF forms – which we’ve combined into one. And because the process is so overly complicated, we’ve created a page to help guide people through it: https://medconfidential.org/2021/children/ 

If you don’t opt out before 30 June 2021, the Government will take a copy of everything medical that ever made it into your GP record, throughout your whole life – apart from some limited aspects of information around gender recognition or IVF treatment (if you have received any).

The first upload will be of your entire GP medical history to date – which will happen as soon as your next GP appointment, possibly even before that – and then there will be daily updates thereafter, to copy every new thing that is recorded about you.

There will doubtless be much more to come, but the headline is this: 

The Government intends to take YOUR entire GP history, and isn’t even planning on TELLING you that you have a CHOICE, i.e. by writing you a letter.

This time they’re not even sending out a junk mail leaflet, but they might do some tweets and social media ads. (As we write this, their YouTube video appears to have fewer than 260 views.) 

To summarise, the process to dissent fully from the copying and then further use of information from your GP record for purposes beyond your direct care is as follows:

  • Give a Type-1 form to your GP, for your whole family’s GP records;
  • Do the online National Data Opt-out (NDOP) for yourself;
  • Download, fill in and e-mail the multi-page NDOP form for your children.

There should be better options, but this Government apparently doesn’t want to listen.

medConfidential has been fighting to ensure every use of patients’ data is consensual, safe, and transparent since 2013. We aren’t there yet, but there’s every reason to believe that if enough people take action, we will get the protections you and your family deserve.

This Government sees so little value in any form of protest that it is trying to ban it through legislation. And its Ministers’ (and senior officials’) view of profit seems to be that ‘any means are acceptable’. Indeed, in a global shortage in the throes of a pandemic, politicians picked their friends to profit off the NHS to provide PPE for nurses. 

Why would anyone believe they wouldn’t seek to profit in exactly the same way from your health data?

If you believe they can be persuaded to change course, or if you simply want to be kept informed, please join our mailing list for more news. And don’t forget to forward this e-mail to your friends and loved ones, who may wish to make their own choice before the end of June. 

Our thanks to those who have donated, especially monthly, over the last couple of years – we kept your money in a pot for times like this. We’re currently using it to pay for sending out forms to those who don’t have printers, and for some other things that we might ask you for help with, next time.


The opt out process for children

In order to register dissent for your children’s medical records to be used for purposes beyond their direct care (and why):

1) Protect your GP data: fill in and give this ‘Type 1’ form to your GP practice [PDF] [or MS Word version] – this form allows you to include details for your children and dependants as well. This is the most important step; the Type 1 opt-out is the only opt-out that will stop NHS Digital extracting your GP data.

2)  If you want to stop your non-GP data, such as hospital or clinic treatments, being used/sold for purposes other than your direct care (e.g. for “research and planning“) you must use this process: 

    • If you have children under 13, you need to fill in this form [PDF] and e-mail or post it back to NHS Digital – this form works for both you and your children.
    • If you have an adult dependant for whom you have legal responsibility, you must use this form [PDF] and send it back to NHS Digital on their behalf

If you don’t have a printer

If you don’t have a printer, and can’t fill in the electronic forms above, you can e-mail children@medConfidential.org with your postal address and how many people you need forms for, and we will post you copies of the GP paper forms, for free, no questions asked (also tell us if you have children under 13, or the online hospital data service hasn’t worked for you, and so you need the hospital data form as well).

We will, of course, only use your details to send you the forms you want and we will delete them as soon as we have done that. (medConfidential is registered with the ICO to process personal data in this way.) If you can afford to make a small donation to support us in offering this service to others, we have a donation page where others have donated so we can send the forms to you for free.


Why does DHSC put you (and other families) through all this hassle?

The pandemic changed many things, but until 23 April 2021 and for much of the last year, the forms to express dissent for your children and other dependents were missing from the NHS Digital website. Instead, for up to a year it said:

Screen capture from 6 October 2020

The explicit decision back in 2018 that there would not be a digital route for families with children came back to bite those who had to implement it.

Postal processing being temporarily unavailable might be considered understandable at the height of a pandemic, though it was clearly someone’s decision to remove the links from the website to prevent new processing.

This may not have been a concern in and of itself, but buried in NHS Digital’s Board papers is a statement that the Direction and Data Provision Notice for “GP Data for Planning and Research” was due to be published “to enable collection to commence (March 2021)”, according to the papers for NHS Digital’s Board meeting on 31st March 2021. That the new children’s opt out form did not appear until three weeks later suggests the discriminatory and inappropriate approach to dissent continues. 

Before 2016, when the dissent process had been considered primarily from a patient’s perspective, the way to opt out was to give one piece of paper to your GP, which covered your entire family – and then the NHS would deal with any complexity. It did, and it worked. Over 1.2 million people used that process, which was possibly more than some would like…

In 2018, NHS England and the Department of Health and Social Care made a series of choices about how the National Data Opt-out Process (NDOP) would work; the effect of each of those decisions made it harder for someone to express their wishes: 

  • By cherry-picking who was invited to meetings, and on a narrow reading of the Data Protection Act 2018, one of those choices was that if you are over 13, you must do it yourself online. (The people to whom NHS England chose to listen at that point were those who believed your GP shouldn’t be an interface between you and ‘the NHS’.) 
  • Another such choice was that the databases used to validate that you are who you say you are online were not to be used to check if you had children who lived at home and who were registered with the same GP.
  • In fact, the decision was then made that there would be no digital process for children at all – parents’ and carers’ choices for any of their dependents would have to be done via a form sent in the post. First that form had 8 pages, then 7, now 4, and (finally!) the option to send forms by e-mail, after feedback about the punitive nature of the process.

As a result of all this complexity, the GP opt out form – which, prior to 2018, used to work for your entire family for all NHS records – still works for your entire family, but only for your GP records. And since NHS England and DHSC chose to create another process, you now have to do that too!

The process doesn’t have to be this complicated. Most families have children registered with the same GP as the parent, living in the same house, so the NHS identity checks for adults should cover their dependent children. There will always be exceptions, families with more complex situations – the current PM’s for example – which is why a paper form is a necessary backstop. But having no web process at all starts to look more like a procedural punishment for families.

The Secretary of State or NHS England could have said that the process for dependent children (and other dependents) should be the same as for adults. Instead they shifted the bureaucratic burden from the NHS onto patients and families, in the hope you would care less about your GP data than their cronies who wish to buy it.

To register dissent for your children’s medical records to be used for purposes beyond their direct care (and why):

1) For your and your dependants’ GP data, give this Type 1 form to your GP.

2) For your children’s and your own hospital and other non-GP data, fill in and e-mail or post this ‘National Data Opt-out’ form to NHS Digital.

3) Not forgetting that for your own hospital and other non-GP data, individuals aged 13 or over can also opt out (or opt back in) online.

Shared Care Records

One thing the NHS bureaucracy likes more than anything is having the same acronym to mean two different but similar things. In addition to Summary Care Records (SCR, SuCR?), which have existed since 2007, NHSEx now adds ‘Shared Care Records’ from 2021.

As explained to the Public Accounts Committee on 17 September 2020 by Matthew Gould, CEO of NHSX, Shared Care Records (SCR, ShCR?) should:

“…allow patient data to flow safely and appropriately between different care providers, not just in health but also in social care.”  – Question 46

It is not that NHS England / NHSx have access to data today that is necessarily the problem; it is what they will do with it tomorrow – and whether they will keep their promises (cf. Test & Trace DPIA, transparency court case, ‘contracts for cronies’, etc. , etc.) 

What is needed for Shared Care Records to work?

Patients’ and service users’ data flowing along their care pathway for the purpose of their direct care is a worthy and worthwhile goal, and one that medConfidential has supported since its inception.

If Shared Care Records are to be successful in practice, and not repeat the dead-ends of LHCRs, that success requires they must do an number of things:

1)  The Shared Care Record is claimed to be for direct care only, and a good Shared Care Record will indeed be for direct care. A bad Shared Care Record will be used for lots of other things that it does not tell you about. NHS direct care services are too often seen as a ‘Christmas tree’ off which to hang things; ShCR cannot be a means by which sensitive health records leak out of the NHS via a back door.

  • What happens across the boundaries between administrative areas (ICS, ShCR, or other)? Do ShCRs facilitate care for those who live in one area but, e.g. visit A&E in another?
  • Do (creepy single) doctors get to look up the records of women they’ve met on dates – or anyone in the country – without disclosure or recourse? Are meaningful measures in place for those who are affected to know that their records were accessed?

2)  Shared Care Records’ existence and purpose(s) must be properly communicated to the public, before they are used, (unlike LHCRs) which means:

  • Clearly and publicly stating what they will and won’t do, and explaining the rights and choices people have;
  • Writing to all those who will have ShCRs created – including service users – not forgetting or otherwise disadvantaging families with children, and not just to those who may have previously opted out of LHCR sharing and/or SuCR.

3)  Ensure Shared Care Records can be seen as trustworthy, on an ongoing basis. From the point they are introduced, a record of every access of a ShCR must be made available to the patient or service user via their new NHS Login, cf. Data Usage Reports.

  • If a provider is capable of connecting to a person’s Shared Care Record, it must also be capable of recognising and respecting that person’s confidentiality and consent choices; if it cannot do both, it must not be permitted to do either. 
  • There is no excuse to ‘retrofit’ later; GDPR requires that all data processing is lawful, fair and transparent – and the data flowing through Shared Care records is, by definition, identifiable individual-level special category personal data.
  • Confidentiality and consent choices should be managed centrally, ensuring that system-wide rules and IG are applied consistently and effectively. If local areas / ICSs manage their own dissent processes and someone moves to another area, will they have to dissent again? How will anyone know?

4)  To the extent that any data contained within Shared Care Records is extracted, copied or otherwise processed (e.g. ‘anonymised’) for any secondary uses, this must be done either within the statutory Safe Haven (i.e. NHS Digital) or under its Information Governance processes, which confer (joint) data controllership. Anything less than this would be a retrograde step and, as the failings of consent and governance processes around individual LHCRs have demonstrated, will compromise public trust.

  • Notably for social care data, the regulator (i.e. CQC) cannot also be the Safe Haven: the incentives would be completely perverse. We understand a reluctance to put a body named ‘NHS Digital’ in charge of (adult) social care data, and share concerns about the ‘medicalisation’ of social care. That challenge is, however, an improvement DHSC and the NHS have to learn if health and social care are ever to be properly integrated.

If Shared Care Records cannot meet these conditions then they will be unfit for purpose, and will have been commissioned badly at huge cost to the taxpayer and to the reputation of the NHS.

LHCRs largely failed; will the lessons be learned?

From NHS Data Day, October 2019

Commercial re-use of data

If there are to be secondary uses of data within the Shared Care Record, then plainly the National Data Opt-out must be made statutory, it must work properly for everyone (including families), and must be made readily available to all before any secondary uses go live.

  • The deadline for system-wide implementation of NDOP has been extended repeatedly from the original compliance deadline of 31 March 2020, to 31 September 2021;
  • Meanwhile, LHCRs and CCGs have struggled to interpret and in some cases properly apply correct and appropriate Information Governance for NDOP – a situation that cannot be permitted to continue beyond the pandemic.

Even if there were to be zero secondary uses of data flowing through the Shared Care Record (ShCR), there would still be the issue of Summary Care Record (SuCR) opt-outs. For if someone has objected to just a summary of their record being shared, how can it be assumed that they will accept the wider sharing of their ‘whole’ care record?

Where there is legislation, therefore, both the National Data Opt-out (NDOP) and a ShCR opt-out must be made statutory; and these must be made readily available to all, and must be respected by all across the whole health and social care system.

“Selling the benefits” is no longer enough if you are also selling the records.

Details documents

As all of the future emerges, the graphics below from various NHS presentations show the thinking that went into them, and the direction of travel:

‘Shared Care Records’ for secondary use?

Data for direct care doesn’t stay for direct care. A series of slides over years show the embedded view of NHS bodies which all want data to flow beyond direct care to commercial companies, and for planning, policy and commissioning decisions.

  • It all begins with a lifelong (“longitudinal”) record and “maximising the use of data”:

from: https://digital.nhs.uk/blog/transformation-blog/2019/so-what-is-a-local-health-and-care-record-anyway

  • For the purposes of policy-making, planning, commissioning and near ‘real-time’ surveillance of individual-level patient data, explicitly intended long before COVID:

From: https://hscic.kahootz.com/connect.ti/PubNHSDDTSF/view?objectId=10508916 

  • Of course, there is also research and commercial exploitation; discussed well before COVID

From NHS Data Day, October 2019

  • …and during the pandemic as well; here’s the Minister discussing legislation to align with Big Pharma interests:

From Baroness Blackwood’s roundtables with Pharma, June-July 2020

ALL of these interests (and many more, e.g. Big Tech, Big DNA…) will seek the data once it has been created.

Details documents

Analysis and Inputs Reporting

[The 2020 update to our ongoing series on data usage reports (20142021)]

The need for and consequences of data usage reporting is something medConfidential has worked through for a long time.

You have the right to know how data about you is used, but what does that look like in practice? We’ve mocked up a data usage report for the NHS, and the equivalent for Government – but what about the analyses that are run on any data? What should responsible data analysts be able to say (and prove) about the analyses they have run?


The new, eighth Caldicott Principle is “Inform patients and service users about how their confidential information is used”. In future work we will look at how this goes beyond existing legal requirements under the 2018 Data Protection Act, what Data Usage Reports (or Data Release Statements) should look like to the NHS in 2021, and what patients should see. For now, though, we want to take a look at the other end of the process.

Analyses, Analysts, and their readers

Public bodies (and indeed everyone) buying AI and Machine Learning products need to know what it is they are buying, and how it has been developed and tested. Ethically, they must be able to know the equivalent of “This was not tested on animals”, i.e. “No data subject was harmed in the making of this AI”.

We covered a lot of the procurement side of this in our recent work on AI, data and business models. But that raised a question: what is it that procurers should ask for when procuring data-driven products and services? And what does good look like – or, at a bare minimum, what does adequate look like?

At the most practical level, what should someone wanting to follow best practice actually do?

And just as importantly, who should do what?

In a world of the Five Safes, Trusted Research Environments (TREs) and openSAFELY, and as the role of independent third parties becomes increasingly viable, those who wish to follow more dangerous ‘legacy practices’ with data will be unable to provide and evidence equivalent assurances – and their offerings will therefore be at a significant disadvantage in the market.  

A trustworthy TRE records exactly what data was used in each analysis, and can report that back to its users and to those who read their analyses. Academic journals often require copies of data to be published alongside an academic paper, which is not possible for health data (and if someone were to make that mistake would be catastrophic), but this certificate could act as a sufficient proxy for confidence and reproducibility.

If you are running the data ‘in your own basement’, there’s no way for anyone to know what you did with it beyond simply trusting you. In health analyses and with health and care data, that isn’t enough – and it should certainly not be the basis for procurement decisions.

So, as before, we decided to mock something up.

Trusted Research Environments which facilitate transparent data assurance like this, and which automate the provision of evidence of compliance with the rules – Data Protection, Information Governance, Equality, or otherwise – will be offering advantages for their users over those which do not. And any TRE that does not report back to its users how its safety measures were used will clearly not be helping its users build confidence in the entire research process.

While they may claim to be “trusted”, organisations that fail to provide every project with an ‘Analysis and Input report’ cannot be seen as genuinely trustworthy.

[2021 blog post in the series]

The National Data Strategy for Health and Care (and the other one for everything else)

Across Government data and digital is too often used solely to help civil servants to make decisions, rather than benefitting all stakeholders.

There is little sign this inequity will be addressed under current structures or priorities, but as Government thinking evolves around the structure of the new Information Commissioner, CDEI should also be fundamentally restructured so as to receive and consolidate a much wider range of inputs – including lay members (DHSC’s former National Information Board had six, for example). Without wide-ranging input, data in Government shall continue to make rookie mistakes such as those of the ONS / GDS Data Standards Authority.

There are alternatives to creating many ‘pools’ of data around Whitehall and simply hoping no-one makes a mistake. Built for the pandemic, and with appropriate governance within and beyond it, the model of openSAFELY could apply across the rest of Government – especially for monumental failures like the National Pupil Database at DfE.

While it is self-evident that the vision of the forthcoming National Health Data Strategy should be to maximise the health of patients within the NHS, the vision of a National Care Data Strategy is less clear. Is it only to maximise the health and health outcomes of those to whom care is provided, or do quality of care and quality of life have other dimensions? Whatever is decided, as the Health and Care systems move towards integration, those two goals must align – but it shows how far apart things are that to talk of (the state of) Health and Care data as if they are even remotely equivalent is quite clearly nonsense.

As the pandemic has brutally illustrated, there is no data strategy for social care – and no evident plan to move towards one. Given every journey must begin with a single step, something like this might work.

Health and Care ‘moving parts’

Whenever NHS legislation is next put to Parliament, the National Data Opt-out should be placed on a statutory footing. Aside from guaranteeing patient choice and underpinning trust, this will provide proper democratic scrutiny of official choices such as the one which the National Data Guardian highlighted in her recent annual report – page 11, right column – where NHS Digital, NHSX, and DHSC decided it wasn’t in their interests for patients to see how data about them is used. Should government attempt to defend that position, when the push-poll and focus group used to come up with it are more widely known, the u-turn will be more embarrassing than fixing it now. 

In a similar vein, transparency on access to patients’ details via APIs (whether new ones for COVID-19 or pre-existing ones, such as for the Summary Care Record) would also begin to address the ‘creepy single doctors’ problem that has been exacerbated by the widening of access in a time of reduced oversight. And that some in Government still wish to use patient records for funding and “decommissioning” decisions (para 2) is unlikely to be wise.

Government argues that new business models are the way the NHS and the Life Sciences Industrial Strategy will get them out of the hole they’ve created. Trillion-dollar tech fantasies abound. But while the conflicts of interest amongst advocates of this strategy are clear, whether it will work is not. 

National Data Strategy (outside of health)

The NDS is a “pro-growth” data strategy, which is an entirely appropriate mission for DCMS – but it creates a fundamental conflict of interest in its sponsorship of the ICO as regulator, and its role in choosing the replacement for the current Information Commissioner. For this if not other reasons as well, the ICO should move back to being Departmentally sponsored by the Ministry of Justice, to underline the fundamental importance of following the law and to ensure the principles of justice apply to all data use, as well as to quasi-judicial decision making by the regulator.

A data strategy for the UK should first and foremost respect the rights and freedoms of every data subject, and aim to provide the greatest net-benefit to the whole of the UK – yet there is no compelling vision in the strategy; no clarion call. There is also no testable hypothesis in the strategy, by which its success (or otherwise) can be known. It is likely no single vision acceptable to all stakeholders could have got through write-round – not least because the unreformed, institutionally-ignorant Home Office will not accept a nuance that is in the public’s interest (for example, PHE / Test&Trace / police data sharing).

As written, there is no explicit difference in the National Data Strategy between personal data and data about objects. Lacking specificity, much of the strategy that is intended for one could be used for the other, thereby creating effects entirely unintended by the authors. A recent misstep by the new “Data Standards Authority” illustrates the sort of harm that can be caused when ‘generic intent’ overrides substantive nuance.

After a summer tainted by “mutant algorithms” in education, nothing would say understanding data less than NHS England agreeing to run the COVID-19 vaccination database off a 66 million row Excel spreadsheet. (While a single worksheet can have a million rows, losing 65 million people should be relatively noticeable – plus they know to look… now.)

Enclosures:

Towards making the pandemic response data changes safe for the longer term

HSJ reports a belief within Government that some current data practices, changed dramatically with emergency powers to meet the needs of the urgent pandemic response, should now become ‘the new normal’. While some of these changes might indeed be welcome, and some probably should remain, others need to end – and others must be significantly amended if they are to become anything like ‘normal’. 

It is not news that some status quo practices in the NHS around digital records were not entirely safe; this was for many reasons, not least the motivations and incentives of a range of actors – from multinational corporations to creepy single doctors – who want access to people’s direct care records for reasons beyond direct care.

A net assessment should be conducted of the goals and proposed ‘end state’ around health and care data (medConfidential will do one too) to provide a comparison with our net assessment from before COVID-19.

Digital and Direct Care

DHSC and the NHS did what they could in the circumstances, but access to digital services for those who are digitally disengaged continues to be a problem across Government – especially where community access points such as libraries are closed, either temporarily or permanently. A Whole of Government approach should be taken (possibly in the spending review) to assess and improve the piecemeal work done by Departments.

Mobile phone networks providing free data access to NHS.UK was a milestone in access to digital services, but many digital approaches across the NHS are not via zero-rated services: probably the starkest example of this is video consultations, which are a postcode lottery of apps and charging models – while the much-vaunted NHS app* still lacks video consultations for those situations where it helps both GPs and NHS 111. (*: No, not the (contact tracing) app. Rather, the good one that NHS Digital built as a core service; the NHS app which acts as a ‘front end’ to NHS.UK)

As COVID-19 de-escalates, and as NHS Test and Trace capacity therefore becomes available, the newly-NHS parts of PHE should address the mess – including the ongoing postcode lottery – of digital services that facilitate STD testing. NHS T&T will need something to do with its capacity after COVID, and the country requires a testing infrastructure to remain.

There will likely be a range of additional tests which can be moved to the ‘post-back and test’ approach of Test and Trace; SH:24 has shown how to do this at scale, but the broken model of Public Health England prevented equal benefit for all. And when such testing moves into the NHS, all of the existing Public Health safeguards and ring fencing around such data collected by NHS T&T will be required.

As with every new technology innovation requiring personal data, these can be used as a mechanism to get laid: creepy single doctors (and others without clear direct care purposes) should not have the ability to view the STD history of those they treat – or go on dates with, having met outside of work – in the way that, due to COVID reforms, creepy single doctors can currently view someone’s full medical history due to the removal of safeguards, with no means for a patient to know when their record was accessed.

Access to individual records for care

The widening of access to records has long been debated within the NHS. And while some clinicians will say how much it helps them, and while some of that may indeed be true, it is far from clear whether the patients involved can know whether their records were accessed where they should have been – i.e. that the wider access was actually useful – or whether their records were accessed when they should not have been – i.e. where wider access was harmful.

NHS Digital keeps records of every Summary Care Record access; these should be made available to each patient within the NHS app (and on NHS.UK when the NHS Login launches there) in order that verified patients can see how their record was used. Without providing that evidence base, any argument for any use of patients’ data will likely be some form of special pleading.

If the public is to have confidence in the broader uses of their data, the ‘new normal’ is going to require the NHS and wider public services to provide the evidence and information people require to assess their trustworthiness. Absent such information, and with decisions being made or influenced by those with other agendas, public trust will continue to degrade. Whether incrementally or catastrophically (as with another care.data) remains to be seen.

The decision to provide this evidence can no longer be ‘kicked into the long grass’; the information vacuum is already being filled. And where NHS IT suppliers such as TTP – which, with its GP Connect Access Record: HTML service, makes information on how a patient’s record has been accessed available to people outside of TPP’s service – do this in ways in which patients themselves cannot see, even if they use the NHS app, it is being filled in ways that are potentially explosive.

Access to records (in bulk) for secondary uses

ONS recently published a new re-identification process for ‘anonymised’ administrative data, which demonstrates that data even less detailed and less specific than data that is currently disseminated by NHS Digital is still open to re-identification – in practice, as well as in theory.

Even if some still assert that pseudonymised data is “not identifiable” – as contradictory as that opinion is to GDPR and DPA 2018 – it is now clear that pseudonymised data can be re-identified. NHS policy and practices of dissemination can no longer ignore the law, or the published work of the Office of National Statistics.

Some developments during the pandemic, such as openSAFELY, which while impossible even to establish without emergency COVID powers, probably should be incorporated into the ‘new normal’. But not simply as they are. Each such initiative must have a proper ongoing legal basis – by which we do not mean infinitely-extended exemptions, such as perpetually renewed s251 support, but proper involvement of data controllers – and robust information governance for every project: all projects being approved by a statutory public body with a reputable, transparent process approved by data controllers. 

Consensual, safe and transparent use of patients’ data is the only sustainable long term model; completely lawful, and with the appropriate governance and patient visibility to be trustworthy that is absent around the cabal of friends we see with some entities.

Public bodies can Improve The Foundations of other priorities

The move of (much of) PHE into the NHS is not new. The cancer registry was moved from PHE to NHS Digital due to the failures of PHE, and the opportunities available for better cancer data within the NHS are already being delivered, following that move. That the cancer registry has applied the National Data Opt-out since 2018 did not cause harm to data users, so there is little cause to worry that any other lawfully-operating disease registry will lose out by moving within NHS Digital.

As the future location for all of PHE’s other responsibilities remain unclear, an approach based on ‘offline harms’ would – given the new bodies’ remits – allow a new advisory committee to cover anything beyond DHSC’s National Institute for Health Protection and the NHS, and ensure no gaps.

NHSX / NHS Digital reforms: One cannot build on toxic foundations. Any ‘reform’ that merged NHS Digital and/or NHSX into NHS England (and Improvement?), would be fundamentally unworkable. The body that makes commissioning and decommissioning decisions cannot credibly claim to both make decisions based on evidence and be the statutory safe haven for medical records, without patients equally credibly believing their records were used to close their hospital – even if such a belief is incorrect.

‘Artificial Intelligence’: Using its purchasing power to insist on a scheme of commodity pricing, the NHS can ensure both a competitive market for health AI – giving patients the benefits of new services, NHS medics tools and diagnostic assistance they can use, and innovators the confidence they will be able to get a reasonable return for a good investment – while also opening up the worldwide use of NHS-class services and tools.

Documents: