The Information Commissioner’s Office operates on legal realities, i.e. “What is currently the case?”. This explains why the ICO may enforce at one minute past midnight on the day a programme comes into force, but not before. It can be infuriating, but that is what a regulator is empowered to do.

“Being legal” is a binary state – something is either legal or it isn’t.

If there is one way in which a situation or scheme or system is legal, and no ways in which it is illegal, even if there are many ways in which it is really creepy, it’s still legal. This is often infuriating in the private sector, but in the public sector there is a very different environment – because, most of the time, public sector bodies don’t get to operate in ‘stealth mode’. In the private sector, the ICO by and large regulates against dishonesty rather than for good data hygiene. The public sector is held to a higher standard.

Either way, before 00:01 on the first day of operation, the ICO operates only on scenarios, or possibilities.

You can in fact put a scenario to the ICO and, while its officials don’t necessarily like hypotheticals, they will offer an opinion based on what you have said.

What most people fail to understand is that ICO decisions are based exclusively upon the scenario (or evidence) as presented to it.

If you tell the ICO that you will do X, and its officials suggest that X is most likely legal, then that opinion will simply not apply if at 9:12 am on the second Thursday of the following month it turns out you instead do X plus Y; that is a different scenario.

Clearly, if you miss out critical information from the scenarios you present, then the ICO’s opinion cannot and does not reflect what you are actually doing; it only reflects what you say you are doing. Remember, the ICO operates on reality – which is why it can only enforce at 00:01 on the first day of operation.

Where the ICO issues “contradictory advice”, it is almost always because the information it was presented with changed.

In a hypothetical scenario, when the scenario changes, the ICO reserves the right to change its mind. What else would it do?

If ICO officials “change their minds” when presented with what is ostensibly “the same” information, it likely demonstrates the fact that – in the ICO’s opinion – material information was omitted the first time.

For example, care.data’s communications programme collapsed because what NHS England told the ICO turned out to be incomplete – when other information was added, and checked against reality, what NHS England said it would do, and what it actually did, were shown to be materially different.

If you want to understand why the ICO changes its mind, the best place to start is with what you didn’t tell its officials, that someone else did.

For the party manifestos, medConfidential had a single request:

Will patients know how their medical records are used?

How did the parties respond? (Remembering that the Conservatives are in Government, so should have more detail than the opposition parties.)

Conservative Manifesto

Quite a bit of good news, if the currently most likely next Government remembers what it said:

“We will put the National Data Guardian for Health and Social Care on a statutory footing to ensure data security standards are properly enforced.” (p80)

The NDG’s statutory footing should be based on Jo Churchill’s Bill (our view) which was published before the election. While the Government didn’t enable the Bill to go to Committee, putting it as a Part in the forthcoming Data Protection Bill (mentioned elsewhere in the manifesto) should not be controversial. Allowing the Data Guardian to ‘follow the data’ means that public health copies of NHS data are also covered, and therefore can be properly consented.

“We will give people new rights to ensure they are in control of their own data “ (p79)

It’s impossible to control what you don’t see – so a citizen’s view of Government data use (or a patient’s view of the uses of their medical records, or a customer’s view of commercial data use) is a prerequisite for control.

Whether “control” means taking back control from those who would copy data “for the greater good” in secret, e.g. for “decommissioning”, or whether there will simply be transparency and accountability over where data is copied, it will be hard for anyone to argue that this line does not commit the Government to a single overarching opt-out from secondary uses of medical records – in line with Caldicott 3.

“to ensure the very best standards for the safe, flexible and dynamic use of data and enshrining our global leadership in the ethical and proportionate regulation of data” (p80)

While this isn’t quite consensual, safe, and transparent, it is a beginning. However, with the Data Controller in Chief believing there is no data use that could not be ‘proportionate’ – on the tautological basis that if it is being used, then it must be proportionate – this will likely lead to controversy. The scale of problems will be determined by the level of secrecy we refer to in our previous paragraph: will there be secrets?

We acknowledge that this is, however, an improvement over the current state of affairs – having the conversation is far better than not having it at all.

“To create a sound ethical framework for how data is used, we will institute an expert Data Use and Ethics Commission to advise regulators and parliament on the nature of data use and how best to prevent its abuse.” (p79)

While this may sound good in theory, in practice – as we’ve seen with Google DeepMind – such advisors often end up acting as a rubber stamp for deniable practices. That is, when they’re not ignored entirely. Whether this Commission will have teeth, or will have failings similar to those of the various other bodies created recently, will depend on the details.

We look forward to the consultations…

“…we shall roll out Verify, so that people can identify themselves on all government online services by 2020, using their own secure data that is not held by government. We will also make this platform more widely available, so that people can safely verify their identify to access non-government services such as banking. We will set out a strategy to rationalise the use of personal data within government, reducing data duplication across all systems, so that we automatically comply with the ‘Once-Only’ principle in central government services by 2022 and wider public services by 2025.”

Good. The Verify infrastructure and principles can be used to deliver consensual, safe, and transparent digital services – whether in the NHS, across Government, or beyond.

Alongside the commitment to safety, this suggests that the privacy protections of Verify can be used to solve the design failures of the pornography rules in the Digital Economy Act – although we don’t expect Verify to be renamed ‘PornID’ any time soon!

If the controversial proposal for showing ID at a polling station is shown to be necessary, Verify offers a digital mechanism for a non-centralised form of validatable ID, including full “same-day” voter registration, using only a mobile phone (including a pre-paid mobile phone, which can be used to create a Verify account, and then the credential to vote), for free, for everyone. This would be an improvement over the status quo.

The explicit rejection of “sweeping, authoritarian measures” such as the failed Home Office ID scheme is missing, but a wider rollout of Verify – along with services offered in G-Cloud 9, resulting from a privacy discussion with the DG of HMPO – should make any return to ID cards not only unnecessary, but shown to be motivated by other desires. (There’s also no reference to the 53 million genomes project – but, given the delays in the 100,000 genomes project, and the problems with that approach in the delivery of health care, that shouldn’t be a surprise.)

Especially around Verify, but also given the response to wider events, recent weeks have shown the failures of the current digital leadership in Government. Whether digital transformation will cease to come from Government, and instead again come to Government, remains unclear.

Will citizens, will patients, will customers, will users know what these changes mean for them in practice? Will they know how their data is used?

It’s all too easy to forget the human details when you’re working on “great challenges”. Which goes for everyone, at every level, however they claim to represent others. This manifesto (as do the others) contains many fine words, but aspirations aren’t actions. Promises must be delivered, and be seen to be delivered. And those who make decisions based on our data, and about our lives, must and will be held to account – by the people affected by those decisions.

Labour manifesto

Without access to the civil service, it’s hard for opposition parties to have details on unannounced Government policy – much of the Conservative manifesto quoted above is a delivery of existing work.

“Labour is committed to growing the digital economy and ensuring that trade agreements do not impede cross-border data flows, whilst maintaining strong data protection rules to protect personal privacy.”

That statement leaves very little space between Labour and the Conservatives on this topic.

Liberal Democrats

Despite lots of detail on many things, there is no clear policy from the Lib Dems on consent and data privacy, although in a section entitled “Defend Rights, Promote Justice and Equalities”, it says:

“As liberals, we must have an effective security policy which is also accountable, community and evidence-based, and does not unduly restrict personal liberty.”

This is the closest that we get to data. However, since this applies in the secret part of Government, it must also apply in the non-secret parts.

The Green Party & UKIP manifestos haven’t been published as of the time of writing.

Every flow of health data should be consensual, safe, and transparent. The Wellcome Trust found that up to 39% of people would have concerns about the use of their hospital data (page 92). Those concerns are well founded, and the safeguards currently insufficient.

NHS Digital says that the “pseudonymised Hospital Episode Statistics” of each man, woman and child in the country are not “personal confidential information” and so your opt outs don’t apply.  But the Hospital Episode Statistics are not “statistics” in any normal sense. They are raw data; the medical history of every hospital patient in England, linked by an individual identifier (the pseudonym), over the last 28 years. This article is an explanation of what that means, and why it is important.

To understand the risk that NHS Digital’s decision puts you in, it is necessary to see how your medical records are collected, and what can be done with them when they have been collated.

A proper analogy is not to your credit card number, which can easily be fixed by your bank if compromised; but the publication of your entire transaction history. Your entire medical history cannot be anonymised, is deeply private, and is identifiable.

How do your treatments get processed?

Each hospital event creates a record in a database. Some large treatments create a single record (e.g. hip replacement); some smaller routine events create multiple records (e.g. test results).

The individual event may be recorded using a code, but the description of what each code means is readable online. As Google DeepMind asserted, this data is sufficient to build a hospital records system (we argued that they shouldn’t have; we agreed it was possible).

As for how millions of those single events get put together, here’s a screenshot of the commercial product “HALO Patient Analyser”, sold by a company called OmegaSolver, which uses the linking identifier (the pseudonym) to do just that:

The identifier links your records, and that’s the problem.

While a stolen credit card number might sell online for $1, a stolen medical history goes for more like $100.

The loss of a medical record is very different to losing a credit card. If your credit card is stolen, your bank can make you financially whole again, and give you a new credit card. A month later, the implications are minimal, and your credit history is clear. But if someone gets hold of information about your medical history, that knowledge cannot be cancelled and replaced – you can’t change the dates of birth of your children, and denial of a medical event can have serious health implications.

The Department of Health is correct that the identifier used to link all of an individual patient’s data together – the pseudonym, which you could equate to a credit card number – is effectively “unbreakable”, in the sense that it won’t reveal the NHS number from which it is derived. No one credible has ever argued otherwise. You cannot readily identify someone from their credit card number.

But that misses the point that there are plenty of ways to identify an individual other than their NHS number.  This is not a new point, but it has never been addressed by NHS Digital or the Department of Health. In fact, they repeatedly ignore it. It was medConfidential that redacted the dates from the graphic above, not the company who published it on their website.

Whenever we talk to NHS Digital or the Department of Health, they repeatedly argue their use of pseudonyms as linking identifiers keeps medical information safe because they hide one of the most obvious ways to identify someone, i.e. their NHS number. We don’t disagree, and we agree that making the pseudonym as unbreakable as possible is a good idea. But what this utterly fails to address is that it is the very use of linking identifiers that makes it possible to retrieve a person’s entire hospital history from a single event that can be identified.

Focussing narrowly on the risk that the linking identifier could be “cracked” to reveal someone’s NHS number misses the far more serious risk that if any one of the events using that pseudonym is identified, the pseudonym itself is the key to reading all the other events – precisely as it is designed to be. That multiple events are linked by the same pseudonym introduces the risk that someone could be identified by patterns of events as well as details of one single event.

In the same way that you cannot guess someone’s identity from their phone number alone, you won’t be able to guess someone’s identity from their linking identifier. But just as in reading your partner’s phone bill, you could probably figure out who some of the numbers are from knowledge of the person, such as call patterns and timings. And once you’ve identified someone’s number, you can then look at other calls that were made…

Hospital Episodes Statistics (HES) provides all that sort of information – and allows the same inferences – for the medical history of any patient who has been treated in an NHS hospital, about whom you know some information. Information that may be readily accessible online, from public records or things people broadcast themselves on social media.

In the event of an accident that leads to HES being ‘published’, this is what NHS Digital says “could happen” – allowing people who know, or decide to find out something about you, to identify your medical history. This is how, in the event that one thing goes wrong, the dominoes destroy your medical privacy and (not coincidentally) the medical privacy of those directly connected with you.

Returning to the example of the phone bill – from a call history, you could infer your partner is having an affair, without knowing any details beyond what’s itemised on the phone bill.

Linking identifiers are necessary to make medical information useful for all sorts of purposes but, for reasons that should now be obvious, they cannot be made safe. That is why safe settings and opt outs are vital to delivering usable data with public confidence.

With 1.5 billion events to search through, what does this mean in practice?

Health events, or accidents, can happen to anyone, and the risk of most people being individually targeted by someone unknown is generally low – a risk the majority may be prepared to take for the benefit of science, given safeguards. But while it may be fair to ask people to make this tradeoff, it is neither fair nor safe to require them to make it.

As an exercise, look in your local newspaper (or the news section of the website that used to be your local newspaper) and see what stories involve a person being treated in hospital. What details are given for them? Why were they there?  Have you, or has anyone you know, been in a similar situation?

The annex to the Partridge Review gives one good example, but here are several others:

• Every seven minutes, someone has a heart attack. This is 205 heart attacks per day, spread across 235 A&E departments. If you know the date of someone’s heart attack (not something normally kept secret), the hospital they went to, and maybe something else about them, using the Hospital Episode Statistics, their entire history would be identifiable just out of sheer averages.

• If a woman has three children, that is 3 identifiable dates on which some medical events occurred (most likely) in a hospital. Running the numbers on births per day, 3 dates will give you a unique identifier for the person you know. Are your children’s birthdays secret?

• If misfortune befalls someone, and information ends up in the public domain due to an incident that affects their health, (e.g. a serious traffic accident), or a person who is in the public eye, or with a public profile who publicly thanks the NHS for recent care (twitter), how many events of that kind happen to that kind of person per day? The numbers are low, and the risk is very high.

More information simply makes things more certain, and you can exclude coincidences based on other information – heart attacks aren’t evenly distributed round the country, for example, and each event contains other information. Even if you don’t know which of several heart attack patients was the person you know, it’s likely that you have some other information about their person, their location, their medical history, or other events that can be used to exclude the false matches.

It only takes one incident to unlock your entire hospital history. All that protects those incidents is a contract with the recipients of HES to say they will not screw up, and the existence of that contract is accepted by the Information Commissioner’s Office as being compliant with its “anonymisation code of practice”, because the data is defined as being “anonymous in context”.

This may or may not be true, but relying on hundreds of companies never to screw up is unwise – we know they do.

All this goes to explain why the Secretary of State promised that those who are not reassured could opt out:

An “Emerging Target Architecture” from NHS England aims to direct all NHS patient data into a new “national data lake” (page 14). This involves taking genomic, GP, and other health data for direct care, and then going fishing in that dataset for commissioning purposes, while keeping such actions secret from the patients whose data they access.

The inclusion of the data lake and claims to be ‘direct care’ show NHS England has no faith that the tools they propose to doctors will work. The fig-leaf of “localisation” is undermined by the “national” “data lake”, and it seems unlikely that DH and NHS England will cease meddling if a local area decides not to to rifle through patient records.

NHS England’s approach does not fix any problems that exist: there is no analysis that should be done, that this model will allow, that cannot be done now if someone cared to do it. The approach does however do away with patient privacy, safeguards and oversight, and allow nefarious access that is currently prohibited. This model does nothing to solve the actual problem, which is the need for more analysis. There is already an excess of data that no one is looking at, this simply creates more data. And no matter how much data there is, “more data” will remain an analyst’s desire. Patients, and the clinicians who treat them, don’t have such luxuries.

Conflating direct care and secondary uses will cause pain throughout the NHS for as long as it persists the legacy of the thinking behind care.data.

Direct care?

For direct care, the idea of patient-visible, audited, “near real time” access to records held elsewhere is not novel nor necessarily problematic in principle (though the details often fall short).

The Lefroy Act from 2015 requires hospitals to use the NHS number to identify patients, which makes data easy to link. The use of near-real-time access where there is a clinical need is not necessarily a problem everywhere, but there are clearly some areas where very great care is needed, and the ‘Emerging Target Architecture’ document contains none at all.

There are benefits to using FHIR APIs (or equivalent) as the definition of a “paperless” NHS (currently conveniently undefined). But this “target architecture” is not about that, and notably doesn’t say that. The APIs proposed can help patients, but do not require new data pools; the “national data lake” assumes they do not, and is included to allow fishing expeditions by NHS England itself and its customers – an “NHS England datamart”.

NHS England’s desire for unlimited access to data for direct care is to get unlimited access for other purposes. The document claims that “privacy by design” is important, but doesn’t go beyond words and completely ignores privacy from its worldview.

Where is the transparency?

Access to records to provide direct care is valid – but at the scale of the entire NHS, how will a patient know whether their records have been accessed by someone on the other side of the country? The system says nothing about transparency to patients.

While such an architecture can do good, it can also be abused, and the worldview of NHS England offers no potential for dissent.

Open Data and dashboards on current status are necessary for transparency in the NHS. However, paragraph 3.29.3 of ‘Emerging Target Architecture’ suggests that open data can be recombined into a patient record, which suggests something has gone very wrong in the “understanding” behind the document.

NHS England will go fishing in the genetic data lake

Because all patients’ records will be included in the data lake, NHS England will then be able to extract anything for which it can provide a plausible justification. But, as the care.data Expert Reference Group showed, anything can be justified if you use the right words and no one asks questions, e.g. “national data lake” and “privacy by design”.

The existence of a data lake means people will go fishing. You can put up “no fishing” signs, but we all know how that plays out with people who have good intentions, but priorities that undermine the larger goals.

The paper does not talk about genomic data, but Genomics England (GEL) is envisaged as an inflow. Was this a deliberate choice?

This free-for-all stands in comparison to the transparency of the current NHS Digital processes. We may fundamentally disagree with some of those decisions, but there is at least transparency on what decision was made and why.

“Datamart”

The idea of a “datamart” is the clear reappearance of the care.data principle of taking all the data from patients and clinicians, and selling it to anyone who might offer a few beans to get the detailed medical histories of patients.

The conflation of direct care and (dissentable) secondary uses now looks less accidental, and more like an end state goal – for which ignoring patient opt outs was a necessary means to an end.

There must continue to be rigorous and transparent processes for accessing patient level data – and that should include transparency to patients of which organisations have accessed their data. APIs may help care, but they also help those with other intentions.

This proposal also does nothing to reduce the administrative overhead of the NHS billing bureaucracy, nor does it reduce the requirement for identifiable information to be shown to accountants at multiple NHS bodies, simply because they don’t trust each other. A “national data bus” architecture could address that problem, but NHS England has chosen not to care about reducing the burden on others.

There should be no third party access protocols – statistics should be published, or data to solve a specific problem should be available to appropriate analysts within a safe setting, when their questions have received appropriate review, who have the data appropriate to answer them, and who publish their results.

Drug companies should be prevented from changing the questions they ask after they know what the results of their trials are. And CQC shouldn’t be allowed to pretend they never asked a question, purely because they don’t like the answer they got. Analysis of the data may lead to new questions; but it should never lead the original question not being answered. And all questions asked of the data should be published.

The future of (Fax) Machines

There is still no clarity on what will replace the fax machine for one clinician sending information along a care pathway to a department in another organisation. The desire to abolish fax machines isn’t unwise, but they serve a clinical purpose that e-mail demonstrably doesn’t resolve.

Wither Summary Care Record?

The Summary Care Record could perform many of the direct care features, had NHS England not decided upon an “all or nothing” approach to having a SCR.  Had the enhancements to Summary Care Records been done on an iterative and consented basis, it would have been simpler to widen SCR to the new areas proposed. But NHS England, with the bureaucratic arrogance and technical mediocrity that pervades this proposal, simply insisted on the same “all or nothing” approach to the enhanced SCR. This being the case, it insists on all patient data being included in a data lake, as the access to data of last resort for clinicians.

—

Some of the proposals in this document clearly have merit, but when claims are made for “privacy by design” alongside such a fundamentally misconceived and diametrically opposed notion as a “national data lake”, the vision articulated is shown to be incoherent at best.

Prioritising a data copying exercise over actual care repeats exactly the same errors in thinking that set care.data on its path to failure. And, published just weeks after it emerged that patients’ objections to their data being used for purposes beyond their care are being ignored, this looks even more like a deliberate attempt to ignore that there are – and always will be – valid objections.

Ignoring the past in this way puts at risk access to the data of those who would be happy for their medical records to be used, given sufficient safeguards and transparency. Unfortunately, a data lake can never meet those requirements.

The “Emerging Target Architecture” document is here, and NHS England is taking comments until the end of the week…