For details on Biobank Direction that “betrays” the “covid-only” promise about GP data, please for now see this page, or read how to opt out. There are many moving parts, and this page will be updated shortly.

Find out what happens next: Sign up for our newsletter (we don’t email often) or get small frequent updates by joining our free Substack.

In 2024, we looked ahead to treatments at the end of this Parliament. In 2025, we said: “Mr Streeting knows that by the end of this Parliament in 2029/2030, it’ll be increasingly normal for you to be able to take your cat to the vet to have your cat’s cancer effectively cured.” 

As things turn out, it’s a dog that got famous for a custom mRNA vaccine to treat some cancers. 

Continue reading →

Even before these new revelations, UK Biobank had a very long list of unanswered questions (that PDF was published earlier this week and now needs extending). At the same time, Mr Streeting has decided to give Biobank data from GP records that was collected under a promise it would be used only for the pandemic.

What did the Minister know when he signed the Biobank direction? What did those who publicly supported the Direction know? Did Biobank tell them everything?

Why this matters even if you’re not in Biobank:

The Biobank direction means “pandemic only” dataset can now be reused however Mr Mandelson’s political protégé decides – GPs have been given no choice because NHS England already has the data and uses it however they are told. This action already destroys trust for the next pandemic, and undermines promises being constructed for Mr Streeting’s Single Patient Record plans where he’ll make political promises around becoming data controller for your medical notes. Apparently this is the acceptable approach and standards for where your data will go in the National Data Library.

Biobank data is still was published on the internet 

The Guardian has reported that the NHS hospital data of UK Biobank participants was repeatedly published by Biobank users, and some of it is still publicly available months after Biobank was first told that Biobank patient level data was published online. This notification was before the Direction was signed which will allow “pandemic only” GP data to flow to Biobank to be used like the rest of the Biobank data.

The statement on the Biobank website completely omits that this happened and this remains the case.

Biobank admit they don’t know who their users are

Biobank have sent many legal notices to have material taken down from the internet.

UK Biobank admits that, in every case where they send a legal notice, that is because Biobank’s attempts to identify and contact the researcher have failed. Either Biobank don’t know who the researcher is, or the researcher doesn’t care enough to reply to the Biobank email. 

It is clear that Biobank does not know who their active researchers are, because if Biobank did know who the users were, Biobank would not have to resort to takedown requests for accounts they can not identify.

In any event, Biobank gave them (or someone) access to that data in the first place – the application form is short and woefully insufficient, but it does have a space for an email address. Emails from Biobank that researchers ignore alongside ignoring the Biobank rules that Biobank say protect the NHS data they share.

Since Biobank resorted to these legal means, did Biobank notify NHS England they were doing this over NHS sourced data? 

That’s before we consider approved data use in Chinese undergraduate teaching – the lecturer is granted access, but the students get it too and Biobank has no way to know who they are.

Biobank blame their victims for Biobank’s failings
UK Biobank simply claims that no Biobank member has been harmed, and if they have, then it’s their own fault.

If you’re in Biobank, and if anyone knows anything about your medical history, they can potentially read it all. Apparently the bland text on page 23 of this newsletter was Biobank telling you about the risks you had chosen to take, and Biobank would allow researchers to take.

Given the nature of researcher conduct, it is not possible to guarantee that there are no further examples.

NHS England did a “consent audit” of Biobank, which Biobank says they passed. Is this victim blaming what NHS England’s audit found and approved? 

To quote Biobank’s newsletter “In everything we do, we ask, what would participants expect from us?” so are the Biobank statements what one would reasonably expect?

Biobank’s [ public statements ] are incompatible with their [ redacted ] 

[redacted until Biobank fix it or decide they’re willing to take that particular risk with their cohort]

The Guardian work shows how easily NHS patient data is re-identifiable

The Guardian’s efforts confirm that if you know one health event for a person, you can read off all the others through the linking pseudonym, the EID that Biobank’s response argues is so immaterial that it can be published repeatedly on the internet without consequence. 

The Biobank response also argues that if data they have lost control of leaks (as it has), then that’s that if anyone knows anything about your health, and uses their lost data to find out more, then that’s your fault. 

The Department of Health in England makes the same self-serving argument – they take risks with your data and will blame you when they go wrong. Everyone treated in an NHS hospital is in the hospital datasets that NHS England sells, usually without respecting the National Data Opt Out. 

UK Biobank’s sole remaining defence is that it’s difficult for someone you’ve never met and who knows nothing about you to reidentify you – which doesn’t address the fact that you have met many people who know something about you and your health and can now potentially read everything; or the Department of Health in England can stop making stupid mistakes.

None of this is new, the flaws and risks were discussed at length in Chapter 4 of the 2022 Goldacre Review. 

For Biobank participants who now wish to withdraw

We have heard that participants have withdrawn from Biobank because of their failings over recent years. Biobank claims privately no one has told them they’ve withdrawn for this reason, but then, participants don’t have to give Biobank a reason for withdrawing.

If you’re in Biobank and wish to withdraw, they make you email them for the form. You are required to know your Participant ID, which Biobank probably told you 20 years ago, you can find on some communications from them, or simply download it from the internet with most of your hospital record if you know where to look…

You can withdraw from Biobank, you won’t be allowed to withdraw from the National Data Library.

Biobank’s reckless disregard for personal data has infected the “National Data Library”

The HDR/Sudlow Review which argues that all public sector data should be linked (one topic in the ID cards consultation) and used like Biobank. At the Review launch, the former Chief Scientist of Biobank said Biobank has “one of the best systems” for data access, and Biobank data should be “used as widely as possible”, and has now been rewarded with a seat on the National Data Library advisory board. 

Biobank’s actions exemplify Mr Mandelson culture being applied to NHS data (increasingly so via the Biobank direction), and it will cover everyone everywhere in the UK via the National Data Library.

Unless DSIT agrees that the UK Biobank approach to those in their dataset as covered above will be that of the National Data Library, DSIT should remove Prof Sudlow from the advisory board. Biobank’s public response is the responsibility of the current Biobank senior leadership (most of whom should also resign in disgrace, but won’t as they blame the victims rather than accepting responsibility for their decisions; and wisely no one appointed them to an NDL seat). Responsibility is known and admitted for how Biobank ended up in the mess they have put their cohort in, the only question is whether there will be any consequences for that.

==

In addition to our annual-ish newsletter, you can also join our free substack to get emailed whenever we post some news or commentary.

There has been much ‘chirping’ about the Covid Inquiry: it’s too wide, it’s too narrow; it’s not looking at the right things; it’s not looking in enough detail at the particular bit of the elephant someone spent their time holding; it’s looking in too much detail at another part or parts of the elephant; etc…

The Inquiry contains multitudes (good work on complex topics inevitably must) and the Inquiry’s modular nature lets everyone complain – much as historians can write very different books on events that were vaguely recorded, and they do. 

And those very same chirping interests tend to dismiss others as “Non-Playing Characters” when they want to remove agency from people and groups who will and should be able to make decisions they disagree with. Today’s decision makers are strong and everyone else must accept that, as if today’s decision makers are all that matter.

Data is a common theme in the Inquiry

Data keeps coming up. Everyone involved wants more data at all times to do more things.

Assumptions being made about data by the Department of Health in England (as it is now becoming) are that they want to be able to do anything they choose, and that they should be able to do whatever they want at all times.

The underlying model of DH/E is that Palantir systems will have all the data, and that DH/E controls the configuration. And if DH/E flips the data controller switch again, they’ll be able to do anything they want.

One advantage of Palantir’s product being based upon Apache Spark software is that its capabilities are public; Palantir just does ads on anything they claim they alone can do. Palantir is not magic.

In effect, DH/E’s position is that Mr Streeting wants to be the data controller for your medical notes, and he alone will decide who can use them. (Until he is replaced, of course – then his successor decides…)

These are self-prioritising claims made without external input. Alternatives exist, but Mr Streeting doesn’t care because he knows what he wants and is going to impose it upon you.

If a national analysis were needed, it could be designed nationally, run per “instance”, and the answer could be collated nationally without the “National data integration tenant” (NDIT) having the data. 

DH/E argues opt outs are an impediment because DH/E wants to copy all of the data for its own purposes, and to avoid accountability to patients (or anyone else) because a civil servant might be held responsible for something. 

Patient wishes get ignored when secrecy makes it it easier to ignore them

GP data was collected from practices under the promise of being “covid only”, a promise torn up by the current Secretary of State who doesn’t keep promises he didn’t make. It’s entirely unclear what he expects his successor to do.

It is the Department of Health in England’s view that expecting to have choices over your healthcare is excessive, and data about that care should be unrestricted within the Department – you are to be expected to accept how politicians choose to use and read your medical notes if you accept any form of care at all. If you seek NHS care, what the NHS does with that care is what’s in the interests of the Department, the personal fiefdom of a politician, and not something about which you should have information. That was also the approach to pandemic procurement, a module of the covid inquiry to come out in future.

The Covid Inquiry shows decisions have consequences, and DH/E staff wish to avoid all of those consequences (especially in the “Privacy, Transparency and Trust” team, which refuses to accept privacy, undermines claims of transparency, and undermines Trust. The disingenuous existence of that team means that other parts of DH/E can entirely ignore those principles, claiming to defend them while undermining them directly. 

When it came to the Federated Data Platform, NHS England decided in secret they didn’t have to do a full impact assessment on their “Privacy Enhancing Technologies” because the name said they were privacy enhancing. That’s the sort of decision that causes inquiries, not respects their findings

The hits keep coming, and at some point, like the decision in the Biobank direction, the bill will come due.

Being within a system distorts your perspective on success

It is blatantly obvious that the current dangerous drop in vaccination rates will not be reversed by allowing home visits for vaccination; but it’s something the system can do, so it does it and exaggerates their claims.

It is equally true, as the covid inquiry reported, that the actions of late March were significant even if the same individuals made catastrophically flawed judgments beforehand and afterwards.

The system is doing what the system does. The system has recognised that what it does is entirely out of step with public expectations (and arguably the law), but the system’s response is to want to lower public expectations towards what is easiest for the PTT team. Good luck with that. 

Some of the criticisms of the Inquiry by former officials is that the Inquiry, like some officials think of the public, should do whatever is best for the officials (thinking that also pervades the think tank glossies about how ID cards will be wonderful for think tanks).

How many people like you should the state allow to suffer and die? Why should that number be any different for people in similar circumstances but not like you?

The new structures of DH/E entirely fail to understand that there is a difference between doing the best you can, and doing what is necessary. There’s a difference between saving as many as you can, and inconveniencing as few as possible (and you as little as possible)

The cultural silo that “we alone must do it all, alone” epitomised by the current US administration’s approach to, well, everything,  is also prevalent across DH/E.

Of course, those with the resources to have their own version of covid events will be able to commission their own books when the documents reach The National Archives in due course.  Your health records are widely available to anyone who applies to use them for now because the system doesn’t want to inconvenience valued colleagues by accepting patients wishes.

You only need to look at the Biobank mess to see how this goes wrong.

====

Join our mailing list for occasional substantive updates. In addition, you can join our substack to receive updates when we post updates to our website (subscribers and donations are very welcome – medConfidential currently has no substantive funding for 2026.)

[14 March: this piece was written and published before The Guardian disclosed that UK Biobank (who will receive the GP data discussed in this piece) had repeatedly leaked NHS data onto the unrestricted internet. We’ll update this shortly, addressing the UK Biobank reassurance which should do anything but – no one knowing about anything in your medical history other than UKB is not realistic, but it is self-serving for UKB. See also A Warning for Experts by Experience]

During the pandemic, your data was collected from every GP under the promise that its use would be for “pandemic only”purposes. That promise is still on your GP’s website. Mr Streeting has decided to tear up that promise and is seeking to do so behind patient’s backs by instructing GPs not to tell patients of the change. 

This is going to become a very large mess.

GPs were told in 2020 to put on their websites a promise that the data would only be used for the pandemic. That wording is still there. Mr Streeting has Directed NHS England to reuse the data however he wishes, but GPs have been told that “no action” is required and is therefore not monitoring acceptance – despite the fact that taking no action means the practice website will still be telling their patients that the “pandemic only” constraints are still in effect when they have been torn up and Mr Streeting does what he wants with their data. This is the first time, but there are repeats on the horizon.

And this matters even more because Mr Streeting ‘crossed a political rubicon’ when he signed the Direction saying that the NHS can lie to patients about how data is used. Like a Silicon Valley techbro, his actions show he can make a promise today and break it with a swish of his pen tomorrow. (Of course this also means he could choose to reverse this decision and stick to the “pandemic only” promise; if he doesn’t, the die is cast.)

Latest in a line of breached promises

The secretive charity HDRUK already broke the “pandemic only” rules when they trained an AI on “pandemic only” medical records for any purposes they like. When NHS England asked its independent Advisory Group on Data to assess those projects (item 5.1), the majority did not support them. 

NHS England refused to do a meaningful investigation, instead limiting itself to simply asking HDRUK whether a project was only used for pandemic purposes and believing their answer, despite the assessment of their independent advisors. HDRUK persists with the levels of transparency and accountability of the Boris Johnson administration. 

“Lying to the press is not a crime”, says Baroness Mone, OBE – and the shared culture of HDRUK and Biobank has applied that same principle to patient data.

Biobank still sends patient data around the world and does not disclose which users are given exceptions to Biobank’s supposed rules. Our list of unanswered questions is long. Biobank continue to allow the company related to the eugenicists to access their servers (which are subsidised by UK tax payers), and Biobank claims “Byte Dance Ltd” are doing genomics research via their Cayman Islands holding company, despite claims the project is based in the United States from staff in China. (Byte Dance makes the TikTok app). After Biobank angrily insisted there was no problem with Biobank giving to insurers data that was donated for research, they later quietly slipped out that they had stopped; a US shell company called Flying Troika was never investigated, and Biobank approved last month a new project explicitly to give undergraduates in China real NHS/Biobank data to use in exercises.

This all matters not only because of the plans for a Single Patient Record and the Health Data Research Service, but because HDRUK and Biobank share a culture and say they designed the HDRS. This all matters because of the proposals for a Health Data Research Service, and because of the proposal for the Secretary of State to be Data Controller for the Single Patient Record.

If a patient has a National Data Opt Out covering research, none of their data should go into HDRS. The Biobank Direction threatens that. The published Direction is only for “consented cohorts”, but a future second half is under discussion covering “unconsented cohorts”, which likely be as broad as HDR’s past requests; cohorts such as “people who have hearts”, or “who are breathing”.

The extent to which HDRS delivers on the goals, delivers for patients, or does neither of those things depends on decisions not yet officially made. As DHSC takes over NHS England, and takes over the data release registers, those DH registers must include all NS data that flows out of any DH entity, otherwise they are by definition incomplete. The NHS itself has largely avoided data re-use scandals over the last decade by having complete registers of decisions made and where data flowed. They may have got in trouble about new datasets, but the decisions on old ones were clear. (until HDRUK tore up that consensus by breaking the covid-only rules – will HDRS look more like the transparent governance of NHS England or the secretive cartel of HDRUK or the unaccountable club that is UK Biobank). There are now many moving parts, and who will gain a short term advantage is unclear. 

HDRS could be good

The new Health Data Research Service could be good; it could be consensual, safe, and transparent. But there’s widespread concerns that it will not be. (We’ll have more on HDRS soon).

HDRS has the opportunity to get it right from day one, and we see no sign of DH allowing them to do that – the job ad for the Chair/CEO of HDRS said that HDRS decisions will be “directly accountable to Ministers”.

If patients who have opted out of their personal data being used in research are overridden by politicians and HDRS so they have their data used in research against their wishes, then that will likely go as well as some of the other pre-u-turn decisions of this government. 

Patients have choices

Polling says that up to 20% of people think they have opted out, but official statistics show only 5.5% actually have a National Data Opt out. If a patient is concerned about whether they have opted out, they can check with the online system, and then they need to do the two or more step process to actually opt out: online individually for your National data, and then on paper for your GP data for your whole family, and then a different paper form for National data for your kids! (The previous government designed this system to create administrative barriers to opting out; the new Government hasn’t made it worse yet at least)

Government is currently going through a ‘process’ (involving push polls about which we have had complaints from those attending the focus groups) to look at whether opt outs should be “reformed” in ways which mean an opt out after some date in the future may do less than the opt out does today. As seen with HDRUK, some in research think patients views don’t apply to them – and NHS England doesn’t want opt outs to apply to their “planning” (i.e. everything Government does in health).

It is important for patient confidence that there be “no surprises”, and that genuine transparency shows that promises are being kept or being carefully changed. Without this, how can any patient have confidence in the decisions being made as it takes control of their medical notes in the Single Patient Record?

14 March update: this was published a few days before The Guardian revealed that Biobank data has been lost several times and Biobank say it’s patient’s fault if they come to harm.]

Government is gearing up for a bunch of announcements about taking your medical record and doing what they want with them – there are many moving parts.

To inform future pieces, we’ve published a long piece on many of those moving parts (not all, because we keep some surprises as surprises).

HDRUK, Biobank, and Mr Streeting argue that privacy doesn’t matter, and they and their cronies should be able to do whatever they want with data without consequence.  They use that argument to break pandemic-only promises, then it’ll be imposing Palantir, and then taking away what rights you do have. Mr Streeting is implementing what he learnt from his political mentor, Mr Mandelson.

We’ll see about that – and perhaps this government will change course when it realises it has done something unwise. 

You can read the full document here.

======

Join our mailing list for occasional substantive updates. In addition, you can join our substack to receive updates when we post updates to our website (subscribers and donations are very welcome – medConfidential currently has no substantive funding for 2026.)

If you’re looking for medConfidential’s assessment of today’s reannouncement, the details appear materially unchanged from the aborted announcement in October where key the question remains unanswered:

https://medconfidential.org/2025/biobank-want-gps-to-lie-to-patients/

Hello again from medConfidential,

We’re still here! And so, for another few months at least, is NHS England – and hopefully, given Mr Streeting’s stated intentions, is your local GP…

What happened since our last Bulletin

The Government published its “10 Year Plan” (10YP) with most of the deliverables due after the next election, and with improvements to your family doctor coming after 2035. Perhaps you’ll have to “say goodbye to your data (and say goodbye to your GP)”?

We published a short series of longer pieces on the 10 Year Plan, the consequences of which will be felt throughout the life of this Parliament – but some headlines include:

• As people have worked out that “Federated Data Platform” is just another name for Palantir, the term “Single Patient Record” has been coined as the new euphemism.

• You’ll be given a “Single Patient Record”, which you’ll be told you “own” and “control” – over which you will find you have little or no meaningful control or ownership*, as it will contain everything the State wants to record about your health for its own uses, from your DNA to the activity sensors on your device.

• Another of the grand ideas in the 10YP is for hospitals to take over GP practices – making your GP about as ‘local’ as your Jobcentre, while you’ll simultaneously lose the only part of the NHS that treats you as a person over the long term. 

• They’ll be AI recording consultations in these new centres; every word you say, summarised – and they’ll keep the transcripts to check the summaries, and the audio recordings to check the transcripts. Artists made art.

*The contradictions and caveats in the 10 Year Plan mean your opt-outs, both the “National Data Opt Out” and your “GP Data  Opt Out”, may protect you less after some future date (maybe in 2026?) than they do today.

To stay informed and to find out what we publish when we publish it, you can now join medConfidential’s new Substack (for free) which will send you an email to alert you whenever we publish something.

What’s happening now

The Covid pandemic had temporary rules on data and procurement, which assumed that everyone was acting in the best interests of everyone else, and that no-one would be greedy and profiteer for their own narrow gain at public expense. 

The PPE procurement mess with Baroness Mone has been high profile and long running. Less noticeable has been one ‘sockpuppet’ of HDRUK – an organisation which decided that the rules didn’t apply to them, and started cheating by using data for purposes that were not related to Covid (except in the fiction of HDRUK’s own paperwork). Because HDRUK’s paperwork claims that its uses are “for Covid”, NHS England believes the paperwork – and neither the ICO nor NDG will disagree with the details, which is the sort of defence Baroness Mone would entirely agree with. 

In that same spirit, Mr Streeting – or strictly speaking, his Department – has written a Direction to NHS England to re-use the “Covid only” datasets for purposes that are not Covid related. Following the leadership of HDRUK (see previous paragraph) these re-uses will first be for some “consented cohorts” and then for some “unconsented cohorts”, i.e. everyone. The consented cohorts include the volunteers at UK Biobank, which is still refusing to answer questions about where it sent the NHS data of its 500,000 participants, and why. And the new project “Our Future Health” is watching its predecessor closely…

Your ability to opt out has always been a gift of the Secretary of State, and the Department of Health in England’s recent public engagement – parts of which are barely more than a push poll – has provided a wide range of views which the Secretary of State will take as license to do whatever he wanted beforehand.

He could make the National Data Opt Out stronger and more effective – as some people have said they want – or he could try to take away your opt out so that it doesn’t apply to uses of data by the Department of Health and NHS England, which is what NHS England and his Department wants. Mr Streeting’s plan for the new ‘Health Data Research Service’ (HDRS) will take your data even if you have opted out of research – so Wes could decide you have to opt out yet again, even if you opted out before. (And, once again, opting out may involve punishing parents via a different process for their kids…)

One question we’ve been asking for months, to which DH has no credible answer, is if you have opted out of your data being used in research, will your data be included in the HDRS?

As the National Data Guardian put it in her Annual Report 24/25 (p5): “Exemptions granted for essential planning and operational work mean it no longer reflects what many believe it offers. This risks undermining trust.” We agree and would go further, as those exemptions are also deemed to apply to non-essential work.

What’s coming next

Mr Streeting thinks that the solution to NHS problems is to replace your doctors with ‘his’ AIs, many of them running in Palantir – aka “Making Palantir Irreplaceable”, despite the fact that “Palantir isn’t magic”. In the meantime, the 10 Year Plan has started in maternity care with the sickest babies, and will move up the ages from there – while Mr Streeting’s officials remain incentivised to confuse dystopia with efficiency, and Palantir’s vision may be “Making Americans Irreplaceable” to “healthcare”.  

As we wrote back in January, this Government is obsessed with building an ‘Everyone Database’ – the latest incarnation of which hides behind Mr Starmer’s 26 second announcement of the Blair government-in-exile’s “digital ID cards”.

medConfidential will keep the streams separate for as long as government does, but if you would like to follow this aspect of our ‘rest of government’ work, you can visit NO2ID’s new website, subscribe (for free) to the NO2ID Substack, or sign up to join NO2ID’s Bulletin mailing list by sending an email to hello@no2id.uk 

Seasons’ greetings

This will be our last Bulletin before the New Year. We wish you and your loved ones well for the festive season. Should you feel inclined, medConfidential is always grateful for your support, as we also appreciate so many of you being on our mailing list. As ever, please do pass this Bulletin on to anyone to whom you think it may be relevant.

Warm wishes,

Phil Booth & Sam Smith
18th December 2025

==ends==

In addition to our annual-ish newsletter, you can also join our free substack to get emailed whenever we post some news or commenta

The NHS is watching Mr Streeting speedrun the dictator’s dilemma, powered by Palantir to go ever faster.

Continue reading →