Why does your data go to the places it goes?

It has been widely shown how it was easier for Facebook to first ignore, then disbelieve, evidence of how data about you was abused for profit and power. Institutional denial is not unique to Facebook. Those who sell your NHS data are no better than those who sell Facebook data when it comes to protecting your personal health data from commercial uses.

What happens to the data you give to the NHS?

There is no official list from the NHS of who has had access to data about you and why.

Companies get to use patient data if they are working with the NHS to provide care, or do research, or anything that is “for the purposes of the promotion of health”. While the NHS does not have the resources to do all of the analysis it needs on its own, companies that service NHS organisations can (and do!) also exploit patients’ data to service customers that the NHS chooses not to tell you about.

When Ministers point to ‘new safeguards’, breaches of contract are routinely ignored without sanction and the rules for ‘one strike’ punishments are not yet in effect. Companies which have agreed with NHS Digital that they have breached the rules continue to receive millions of patients’ hospital data, on a monthly basis.

Of course, if everyone could see who has had access to their data and for what purpose… 

Companies that are paid to do work for the NHS can keep it ‘commercially confidential’, and resell the outputs to others who would never be allowed to see the original data. The NHS should not sell patients’ data directly to insurance companies and marketers (as it did until a few years ago), but those that believe it too difficult or sensitive to access data themselves – including pharma marketers, commercial product developers, tech companies, and private healthcare providers – are still able to make use of your data via what are called ‘information intermediaries’; profit-seeking enterprises that receive data from the NHS on a ‘commercial re-use’ basis. Without full information on how data is used, or not, it is impossible for someone to make an informed view on these uses.

Forced private provision of analysis

Every one of Health Data Research UK’s new ‘Digital Innovation Hubs’ has at least one commercial partner, which will take public data and efforts to do ‘research’, and then charge the NHS time and time again to use the outputs. This way, the NHS first pays for “research” to be done, and then the NHS pays again and again to use the results.

Companies gain NHS expertise at NHS expense, and then get to walk out the door with it at the end of the contract – leaving the NHS either beholden to them, or needing to turn to others. (And so the cycle repeats…)

Commercial “research” is almost always research and development (‘R&D’) oriented, unlike open public or academic research, where the goal is discovery and public understanding. While the NHS may eventually be able to offer a new treatment, the odds are we’ll have to pay three times for it: funding initial research, paying also with our data, and then pumping profits in perpetuity into the bottom lines of those companies the NHS – or politicians, or other powerful interests – chose to ‘partner’ with.  

The choices companies make, and the analyses they choose to do, may not necessarily be in the NHS’ long term interest. Any objective net assessment of such choices shows that, on this basis, not only the NHS but patients themselves will be taken for a ride ‘in the commercial interest’ at every opportunity.

Business models to exploit the NHS

Since the late 90s, PFI was used to fund over fifty new hospitals, only for the bills to become due a decade later – sometimes with devastating consequences.This same approach is now being applied to our data.

The Government’s ‘Life Sciences Industrial Strategy’, written by Professor Sir John Bell, led to not one but two ‘Sector Deals’, and in subsequent years a slew of ‘frameworks’ and ‘codes of conduct’ grounded in (you guessed it) those same ‘principles’ that were laid out in the initial Sector Deal. Plenty of fine words and aspirations, all boiling down to the key question: how are we going to facilitate the commercial exploitation of NHS patients’ health data? (And, in time, their genomic data too?) 

In an attempt to boost this effort, the Office for Life Sciences (OLS) has been investigating possible business models. Unfortunately, as with the Digital Innovation Hubs, it seems the wrong criteria have been chosen; the key metric – as with care.data in 2014, and other initiatives – being to ‘stimulate economic activity’ rather than to deliver best value to the NHS.

Every business model that OLS considers will be gamed. And there is no model that will reap meaningful financial rewards for the NHS – the companies’ lawyers are paid too much to allow that, and even if the contract struck by the NHS is watertight, they’ll lobby Government to change the rules.

As with PFI, we’ve seen this approach before too. Those arguing the tobacco companies’ cases always had endless money and endless resources; those working in the public interest were always on a shoestring, and had to battle through a near-endless series of legal figleaves. 



Future potential

The primary measure of success should be net cost to the entire NHS (and social care) budget, rather than to any individual budgetary silo. Rather than focusing on speculative business models – the venture capital-backed ‘exponential growth’ versions of which will inevitably turn predator upon the NHS – OLS should be attempting to deliver commodity pricing for all innovations, as fast as possible, so the public purse pays the minimum overall, and the best care is equally available to all.

Protect all NHS personal data 

Denial about data has effects on everyone – those who want data the most will ask those who have it, but who care the least about that part. If a ‘credit history check’ is requested to confirm residency, by a maternity, cancer, or mental health hospital, the only reason they would do that is because you were seeking such care.

While it may have pleased the previous Prime Minister to believe that the NHS should give data to the Home Office whenever it wanted, no personal data provided to the NHS as part of care should not be passed on to other Departments without it being for care purposes or with freely-given, properly informed consent. That a piece of information which is required by the NHS to provide care is not directly about a person’s health or treatment does not make it any less personal – nor, indeed, any less confidential.

When it first emerged in 2014 that the ‘National Back Office’ was handing information about patients to the police and Home Office, there was a public outcry. That it delayed publication of the review of this practice did it few favours when it emerged that the Department of Health and NHS Digital had simply formalised the arrangement in a ‘Memorandum of Understanding’ with Home Office in 2017. 

Though forced to U-turn on this policy in 2018, and to stop handing over patients’ “non-clinical” data to Home Office, another arm of the NHS was actively soliciting Trusts to use Experian to perform ‘residency’ checks on its patients – handing over details including people’s name, address, date of birth and NHS number in order to do so, thereby telling Experian the condition they likely had (due to the nature of the hospitals involved).

While the NHS may consider such information “non-clinical”, the law is clear: it is still personal data. And furthermore, personal data in a medical context can be sensitive personal data as well; while a particular item of information may not contain clinical detail, it can still be highly indicative of one’s health (or lack of it). The date of your appointment at a cancer clinic reveals more than just the day you went there. 

Just because the NHS doesn’t see particular ‘value’ in some data, doesn’t mean that others won’t see value the NHS misses – and will exploit the access the NHS has to such data for their own gain.