Even before these new revelations, UK Biobank had a very long list of unanswered questions (that PDF was published earlier this week and now needs extending). At the same time, Mr Streeting has decided to give Biobank data from GP records that was collected under a promise it would be used only for the pandemic.

What did the Minister know when he signed the Biobank direction? What did those who publicly supported the Direction know? Did Biobank tell them everything?

Why this matters even if you’re not in Biobank:

The Biobank direction means “pandemic only” dataset can now be reused however Mr Mandelson’s political protégé decides – GPs have been given no choice because NHS England already has the data and uses it however they are told. This action already destroys trust for the next pandemic, and undermines promises being constructed for Mr Streeting’s Single Patient Record plans where he’ll make political promises around becoming data controller for your medical notes. Apparently this is the acceptable approach and standards for where your data will go in the National Data Library.

Biobank data is still published on the internet 

The Guardian has reported that the NHS hospital data of UK Biobank participants was repeatedly published by Biobank users, and some of it is still publicly available months after Biobank was first told that Biobank patient level data was published online. This notification was before the Direction was signed which will allow “pandemic only” GP data to flow to Biobank to be used like the rest of the Biobank data.

The statement on the Biobank website completely omits that this happened and this remains the case.

Biobank admit they don’t know who their users are

Biobank have sent many legal notices to have material taken down from the internet.

UK Biobank admits that, in every case where they send a legal notice, that is because Biobank’s attempts to identify and contact the researcher have failed. Either Biobank don’t know who the researcher is, or the researcher doesn’t care enough to reply to the Biobank email. 

It is clear that Biobank does not know who their active researchers are, because if Biobank did know who the users were, Biobank would not have to resort to takedown requests for accounts they can not identify.

In any event, Biobank gave them (or someone) access to that data in the first place – the application form is short and woefully insufficient, but it does have a space for an email address. Emails from Biobank that researchers ignore alongside ignoring the Biobank rules that Biobank say protect the NHS data they share.

Since Biobank resorted to these legal means, did Biobank notify NHS England they were doing this over NHS sourced data? 

That’s before we consider approved data use in Chinese undergraduate teaching – the lecturer is granted access, but the students get it too and Biobank has no way to know who they are.

Biobank blame their victims for Biobank’s failings
UK Biobank simply claims that no Biobank member has been harmed, and if they have, then it’s their own fault.

If you’re in Biobank, and if anyone knows anything about your medical history, they can potentially read it all. Apparently the bland text on page 23 of this newsletter was Biobank telling you about the risks you had chosen to take, and Biobank would allow researchers to take.

Given the nature of researcher conduct, it is not possible to guarantee that there are no further examples.

NHS England did a “consent audit” of Biobank, which Biobank says they passed. Is this victim blaming what NHS England’s audit found and approved? 

To quote Biobank’s newsletter “In everything we do, we ask, what would participants expect from us?” so are the Biobank statements what one would reasonably expect?

Biobank’s [ public statements ] are incompatible with their [ redacted ] 

[redacted until Biobank fix it or decide they’re willing to take that particular risk with their cohort]

The Guardian work shows how easily NHS patient data is re-identifiable

The Guardian’s efforts confirm that if you know one health event for a person, you can read off all the others through the linking pseudonym, the EID that Biobank’s response argues is so immaterial that it can be published repeatedly on the internet without consequence. 

The Biobank response also argues that if data they have lost control of leaks (as it has), then that’s that if anyone knows anything about your health, and uses their lost data to find out more, then that’s your fault. 

The Department of Health in England makes the same self-serving argument – they take risks with your data and will blame you when they go wrong. Everyone treated in an NHS hospital is in the hospital datasets that NHS England sells, usually without respecting the National Data Opt Out. 

UK Biobank’s sole remaining defence is that it’s difficult for someone you’ve never met and who knows nothing about you to reidentify you – which doesn’t address the fact that you have met many people who know something about you and your health and can now potentially read everything; or the Department of Health in England can stop making stupid mistakes.

None of this is new, the flaws and risks were discussed at length in Chapter 4 of the 2022 Goldacre Review. 

For Biobank participants who now wish to withdraw

We have heard that participants have withdrawn from Biobank because of their failings over recent years. Biobank claims privately no one has told them they’ve withdrawn for this reason, but then, participants don’t have to give Biobank a reason for withdrawing.

If you’re in Biobank and wish to withdraw, they make you email them for the form. You are required to know your Participant ID, which Biobank probably told you 20 years ago, you can find on some communications from them, or simply download it from the internet with most of your hospital record if you know where to look…

You can withdraw from Biobank, you won’t be allowed to withdraw from the National Data Library.

Biobank’s reckless disregard for personal data has infected the “National Data Library”

The HDR/Sudlow Review which argues that all public sector data should be linked (one topic in the ID cards consultation) and used like Biobank. At the Review launch, the former Chief Scientist of Biobank said Biobank has “one of the best systems” for data access, and Biobank data should be “used as widely as possible”, and has now been rewarded with a seat on the National Data Library advisory board. 

Biobank’s actions exemplify Mr Mandelson culture being applied to NHS data (increasingly so via the Biobank direction), and it will cover everyone everywhere in the UK via the National Data Library

Unless DSIT agrees that the UK Biobank approach to those in their dataset as covered above will be that of the National Data Library, DSIT should remove Prof Sudlow from the advisory board. Biobank’s public response is the responsibility of the current Biobank senior leadership (most of whom should also resign in disgrace, but won’t as they blame the victims rather than accepting responsibility for their decisions; and wisely no one appointed them to an NDL seat). Responsibility is known and admitted for how Biobank ended up in the mess they have put their cohort in, the only question is whether there will be any consequences for that.

==

In addition to our annual-ish newsletter, you can also join our free substack to get emailed whenever we post some news or commentary.

There has been much ‘chirping’ about the Covid Inquiry: it’s too wide, it’s too narrow; it’s not looking at the right things; it’s not looking in enough detail at the particular bit of the elephant someone spent their time holding; it’s looking in too much detail at another part or parts of the elephant; etc…

The Inquiry contains multitudes (good work on complex topics inevitably must) and the Inquiry’s modular nature lets everyone complain – much as historians can write very different books on events that were vaguely recorded, and they do. 

And those very same chirping interests tend to dismiss others as “Non-Playing Characters” when they want to remove agency from people and groups who will and should be able to make decisions they disagree with. Today’s decision makers are strong and everyone else must accept that, as if today’s decision makers are all that matter.

Data is a common theme in the Inquiry

Data keeps coming up. Everyone involved wants more data at all times to do more things.

Assumptions being made about data by the Department of Health in England (as it is now becoming) are that they want to be able to do anything they choose, and that they should be able to do whatever they want at all times.

The underlying model of DH/E is that Palantir systems will have all the data, and that DH/E controls the configuration. And if DH/E flips the data controller switch again, they’ll be able to do anything they want.

One advantage of Palantir’s product being based upon Apache Spark software is that its capabilities are public; Palantir just does ads on anything they claim they alone can do. Palantir is not magic.

In effect, DH/E’s position is that Mr Streeting wants to be the data controller for your medical notes, and he alone will decide who can use them. (Until he is replaced, of course – then his successor decides…)

These are self-prioritising claims made without external input. Alternatives exist, but Mr Streeting doesn’t care because he knows what he wants and is going to impose it upon you.

If a national analysis were needed, it could be designed nationally, run per “instance”, and the answer could be collated nationally without the “National data integration tenant” (NDIT) having the data. 

DH/E argues opt outs are an impediment because DH/E wants to copy all of the data for its own purposes, and to avoid accountability to patients (or anyone else) because a civil servant might be held responsible for something. 

Patient wishes get ignored when secrecy makes it it easier to ignore them

GP data was collected from practices under the promise of being “covid only”, a promise torn up by the current Secretary of State who doesn’t keep promises he didn’t make. It’s entirely unclear what he expects his successor to do.

It is the Department of Health in England’s view that expecting to have choices over your healthcare is excessive, and data about that care should be unrestricted within the Department – you are to be expected to accept how politicians choose to use and read your medical notes if you accept any form of care at all. If you seek NHS care, what the NHS does with that care is what’s in the interests of the Department, the personal fiefdom of a politician, and not something about which you should have information. That was also the approach to pandemic procurement, a module of the covid inquiry to come out in future.

The Covid Inquiry shows decisions have consequences, and DH/E staff wish to avoid all of those consequences (especially in the “Privacy, Transparency and Trust” team, which refuses to accept privacy, undermines claims of transparency, and undermines Trust. The disingenuous existence of that team means that other parts of DH/E can entirely ignore those principles, claiming to defend them while undermining them directly. 

When it came to the Federated Data Platform, NHS England decided in secret they didn’t have to do a full impact assessment on their “Privacy Enhancing Technologies” because the name said they were privacy enhancing. That’s the sort of decision that causes inquiries, not respects their findings

The hits keep coming, and at some point, like the decision in the Biobank direction, the bill will come due.

Being within a system distorts your perspective on success

It is blatantly obvious that the current dangerous drop in vaccination rates will not be reversed by allowing home visits for vaccination; but it’s something the system can do, so it does it and exaggerates their claims.

It is equally true, as the covid inquiry reported, that the actions of late March were significant even if the same individuals made catastrophically flawed judgments beforehand and afterwards.

The system is doing what the system does. The system has recognised that what it does is entirely out of step with public expectations (and arguably the law), but the system’s response is to want to lower public expectations towards what is easiest for the PTT team. Good luck with that. 

Some of the criticisms of the Inquiry by former officials is that the Inquiry, like some officials think of the public, should do whatever is best for the officials (thinking that also pervades the think tank glossies about how ID cards will be wonderful for think tanks).

How many people like you should the state allow to suffer and die? Why should that number be any different for people in similar circumstances but not like you?

The new structures of DH/E entirely fail to understand that there is a difference between doing the best you can, and doing what is necessary. There’s a difference between saving as many as you can, and inconveniencing as few as possible (and you as little as possible)

The cultural silo that “we alone must do it all, alone” epitomised by the current US administration’s approach to, well, everything,  is also prevalent across DH/E.

Of course, those with the resources to have their own version of covid events will be able to commission their own books when the documents reach The National Archives in due course.  Your health records are widely available to anyone who applies to use them for now because the system doesn’t want to inconvenience valued colleagues by accepting patients wishes.

You only need to look at the Biobank mess to see how this goes wrong.

====

Join our mailing list for occasional substantive updates. In addition, you can join our substack to receive updates when we post updates to our website (subscribers and donations are very welcome – medConfidential currently has no substantive funding for 2026.)

[14 March: this piece was written and published before The Guardian disclosed that UK Biobank (who will receive the GP data discussed in this piece) had repeatedly leaked NHS data onto the unrestricted internet. We’ll update this shortly, addressing the UK Biobank reassurance which should do anything but – no one knowing about anything in your medical history other than UKB is not realistic, but it is self-serving for UKB. See also A Warning for Experts by Experience]

During the pandemic, your data was collected from every GP under the promise that its use would be for “pandemic only”purposes. That promise is still on your GP’s website. Mr Streeting has decided to tear up that promise and is seeking to do so behind patient’s backs by instructing GPs not to tell patients of the change. 

This is going to become a very large mess.

GPs were told in 2020 to put on their websites a promise that the data would only be used for the pandemic. That wording is still there. Mr Streeting has Directed NHS England to reuse the data however he wishes, but GPs have been told that “no action” is required and is therefore not monitoring acceptance – despite the fact that taking no action means the practice website will still be telling their patients that the “pandemic only” constraints are still in effect when they have been torn up and Mr Streeting does what he wants with their data. This is the first time, but there are repeats on the horizon.

And this matters even more because Mr Streeting ‘crossed a political rubicon’ when he signed the Direction saying that the NHS can lie to patients about how data is used. Like a Silicon Valley techbro, his actions show he can make a promise today and break it with a swish of his pen tomorrow. (Of course this also means he could choose to reverse this decision and stick to the “pandemic only” promise; if he doesn’t, the die is cast.)

Latest in a line of breached promises

The secretive charity HDRUK already broke the “pandemic only” rules when they trained an AI on “pandemic only” medical records for any purposes they like. When NHS England asked its independent Advisory Group on Data to assess those projects (item 5.1), the majority did not support them. 

NHS England refused to do a meaningful investigation, instead limiting itself to simply asking HDRUK whether a project was only used for pandemic purposes and believing their answer, despite the assessment of their independent advisors. HDRUK persists with the levels of transparency and accountability of the Boris Johnson administration. 

“Lying to the press is not a crime”, says Baroness Mone, OBE – and the shared culture of HDRUK and Biobank has applied that same principle to patient data.

Biobank still sends patient data around the world and does not disclose which users are given exceptions to Biobank’s supposed rules. Our list of unanswered questions is long. Biobank continue to allow the company related to the eugenicists to access their servers (which are subsidised by UK tax payers), and Biobank claims “Byte Dance Ltd” are doing genomics research via their Cayman Islands holding company, despite claims the project is based in the United States from staff in China. (Byte Dance makes the TikTok app). After Biobank angrily insisted there was no problem with Biobank giving to insurers data that was donated for research, they later quietly slipped out that they had stopped; a US shell company called Flying Troika was never investigated, and Biobank approved last month a new project explicitly to give undergraduates in China real NHS/Biobank data to use in exercises.

This all matters not only because of the plans for a Single Patient Record and the Health Data Research Service, but because HDRUK and Biobank share a culture and say they designed the HDRS. This all matters because of the proposals for a Health Data Research Service, and because of the proposal for the Secretary of State to be Data Controller for the Single Patient Record.

If a patient has a National Data Opt Out covering research, none of their data should go into HDRS. The Biobank Direction threatens that. The published Direction is only for “consented cohorts”, but a future second half is under discussion covering “unconsented cohorts”, which likely be as broad as HDR’s past requests; cohorts such as “people who have hearts”, or “who are breathing”.

The extent to which HDRS delivers on the goals, delivers for patients, or does neither of those things depends on decisions not yet officially made. As DHSC takes over NHS England, and takes over the data release registers, those DH registers must include all NS data that flows out of any DH entity, otherwise they are by definition incomplete. The NHS itself has largely avoided data re-use scandals over the last decade by having complete registers of decisions made and where data flowed. They may have got in trouble about new datasets, but the decisions on old ones were clear. (until HDRUK tore up that consensus by breaking the covid-only rules – will HDRS look more like the transparent governance of NHS England or the secretive cartel of HDRUK or the unaccountable club that is UK Biobank). There are now many moving parts, and who will gain a short term advantage is unclear. 

HDRS could be good

The new Health Data Research Service could be good; it could be consensual, safe, and transparent. But there’s widespread concerns that it will not be. (We’ll have more on HDRS soon).

HDRS has the opportunity to get it right from day one, and we see no sign of DH allowing them to do that – the job ad for the Chair/CEO of HDRS said that HDRS decisions will be “directly accountable to Ministers”.

If patients who have opted out of their personal data being used in research are overridden by politicians and HDRS so they have their data used in research against their wishes, then that will likely go as well as some of the other pre-u-turn decisions of this government. 

Patients have choices

Polling says that up to 20% of people think they have opted out, but official statistics show only 5.5% actually have a National Data Opt out. If a patient is concerned about whether they have opted out, they can check with the online system, and then they need to do the two or more step process to actually opt out: online individually for your National data, and then on paper for your GP data for your whole family, and then a different paper form for National data for your kids! (The previous government designed this system to create administrative barriers to opting out; the new Government hasn’t made it worse yet at least)

Government is currently going through a ‘process’ (involving push polls about which we have had complaints from those attending the focus groups) to look at whether opt outs should be “reformed” in ways which mean an opt out after some date in the future may do less than the opt out does today. As seen with HDRUK, some in research think patients views don’t apply to them – and NHS England doesn’t want opt outs to apply to their “planning” (i.e. everything Government does in health).

It is important for patient confidence that there be “no surprises”, and that genuine transparency shows that promises are being kept or being carefully changed. Without this, how can any patient have confidence in the decisions being made as it takes control of their medical notes in the Single Patient Record?

14 March update: this was published a few days before The Guardian revealed that Biobank data has been lost several times and Biobank say it’s patient’s fault if they come to harm.]

Government is gearing up for a bunch of announcements about taking your medical record and doing what they want with them – there are many moving parts.

To inform future pieces, we’ve published a long piece on many of those moving parts (not all, because we keep some surprises as surprises).

HDRUK, Biobank, and Mr Streeting argue that privacy doesn’t matter, and they and their cronies should be able to do whatever they want with data without consequence.  They use that argument to break pandemic-only promises, then it’ll be imposing Palantir, and then taking away what rights you do have. Mr Streeting is implementing what he learnt from his political mentor, Mr Mandelson.

We’ll see about that – and perhaps this government will change course when it realises it has done something unwise. 

You can read the full document here.

======

Join our mailing list for occasional substantive updates. In addition, you can join our substack to receive updates when we post updates to our website (subscribers and donations are very welcome – medConfidential currently has no substantive funding for 2026.)

If you’re looking for medConfidential’s assessment of today’s reannouncement, the details appear materially unchanged from the aborted announcement in October where key the question remains unanswered:

https://medconfidential.org/2025/biobank-want-gps-to-lie-to-patients/

Hello again from medConfidential,

We’re still here! And so, for another few months at least, is NHS England – and hopefully, given Mr Streeting’s stated intentions, is your local GP…

What happened since our last Bulletin

The Government published its “10 Year Plan” (10YP) with most of the deliverables due after the next election, and with improvements to your family doctor coming after 2035. Perhaps you’ll have to “say goodbye to your data (and say goodbye to your GP)”?

We published a short series of longer pieces on the 10 Year Plan, the consequences of which will be felt throughout the life of this Parliament – but some headlines include:

• As people have worked out that “Federated Data Platform” is just another name for Palantir, the term “Single Patient Record” has been coined as the new euphemism.

• You’ll be given a “Single Patient Record”, which you’ll be told you “own” and “control” – over which you will find you have little or no meaningful control or ownership*, as it will contain everything the State wants to record about your health for its own uses, from your DNA to the activity sensors on your device.

• Another of the grand ideas in the 10YP is for hospitals to take over GP practices – making your GP about as ‘local’ as your Jobcentre, while you’ll simultaneously lose the only part of the NHS that treats you as a person over the long term. 

• They’ll be AI recording consultations in these new centres; every word you say, summarised – and they’ll keep the transcripts to check the summaries, and the audio recordings to check the transcripts. Artists made art.

*The contradictions and caveats in the 10 Year Plan mean your opt-outs, both the “National Data Opt Out” and your “GP Data  Opt Out”, may protect you less after some future date (maybe in 2026?) than they do today.

To stay informed and to find out what we publish when we publish it, you can now join medConfidential’s new Substack (for free) which will send you an email to alert you whenever we publish something.

What’s happening now

The Covid pandemic had temporary rules on data and procurement, which assumed that everyone was acting in the best interests of everyone else, and that no-one would be greedy and profiteer for their own narrow gain at public expense. 

The PPE procurement mess with Baroness Mone has been high profile and long running. Less noticeable has been one ‘sockpuppet’ of HDRUK – an organisation which decided that the rules didn’t apply to them, and started cheating by using data for purposes that were not related to Covid (except in the fiction of HDRUK’s own paperwork). Because HDRUK’s paperwork claims that its uses are “for Covid”, NHS England believes the paperwork – and neither the ICO nor NDG will disagree with the details, which is the sort of defence Baroness Mone would entirely agree with. 

In that same spirit, Mr Streeting – or strictly speaking, his Department – has written a Direction to NHS England to re-use the “Covid only” datasets for purposes that are not Covid related. Following the leadership of HDRUK (see previous paragraph) these re-uses will first be for some “consented cohorts” and then for some “unconsented cohorts”, i.e. everyone. The consented cohorts include the volunteers at UK Biobank, which is still refusing to answer questions about where it sent the NHS data of its 500,000 participants, and why. And the new project “Our Future Health” is watching its predecessor closely…

Your ability to opt out has always been a gift of the Secretary of State, and the Department of Health in England’s recent public engagement – parts of which are barely more than a push poll – has provided a wide range of views which the Secretary of State will take as license to do whatever he wanted beforehand.

He could make the National Data Opt Out stronger and more effective – as some people have said they want – or he could try to take away your opt out so that it doesn’t apply to uses of data by the Department of Health and NHS England, which is what NHS England and his Department wants. Mr Streeting’s plan for the new ‘Health Data Research Service’ (HDRS) will take your data even if you have opted out of research – so Wes could decide you have to opt out yet again, even if you opted out before. (And, once again, opting out may involve punishing parents via a different process for their kids…)

One question we’ve been asking for months, to which DH has no credible answer, is if you have opted out of your data being used in research, will your data be included in the HDRS?

As the National Data Guardian put it in her Annual Report 24/25 (p5): “Exemptions granted for essential planning and operational work mean it no longer reflects what many believe it offers. This risks undermining trust.” We agree and would go further, as those exemptions are also deemed to apply to non-essential work.

What’s coming next

Mr Streeting thinks that the solution to NHS problems is to replace your doctors with ‘his’ AIs, many of them running in Palantir – aka “Making Palantir Irreplaceable”, despite the fact that “Palantir isn’t magic”. In the meantime, the 10 Year Plan has started in maternity care with the sickest babies, and will move up the ages from there – while Mr Streeting’s officials remain incentivised to confuse dystopia with efficiency, and Palantir’s vision may be “Making Americans Irreplaceable” to “healthcare”.  

As we wrote back in January, this Government is obsessed with building an ‘Everyone Database’ – the latest incarnation of which hides behind Mr Starmer’s 26 second announcement of the Blair government-in-exile’s “digital ID cards”.

medConfidential will keep the streams separate for as long as government does, but if you would like to follow this aspect of our ‘rest of government’ work, you can visit NO2ID’s new website, subscribe (for free) to the NO2ID Substack, or sign up to join NO2ID’s Bulletin mailing list by sending an email to hello@no2id.uk 

Seasons’ greetings

This will be our last Bulletin before the New Year. We wish you and your loved ones well for the festive season. Should you feel inclined, medConfidential is always grateful for your support, as we also appreciate so many of you being on our mailing list. As ever, please do pass this Bulletin on to anyone to whom you think it may be relevant.

Warm wishes,

Phil Booth & Sam Smith
18th December 2025

==ends==

In addition to our annual-ish newsletter, you can also join our free substack to get emailed whenever we post some news or commenta

The NHS is watching Mr Streeting speedrun the dictator’s dilemma, powered by Palantir to go ever faster.

Continue reading →

The Department of Health in England claims to value experts by experience – those people who have lived experience of the NHS and care services, and who want to give their time and energy to make those services better for those who come after them. But DH/E’s actions might cause concern.

Lloyds Bank recently got caught looking at staff bank transactions to use the contents against those staff in pay negotiations. Similarly, when “chaotic and incoherent” Mr Streeting gets emotional, he makes decisions in the interests of his leadership campaign politics not patients (and he wants to become data controller for all of your medical notes).

As part of the takeover of NHS England by the Department of Health in England, items 5.2 and 5.3 in the minutes of the 12th June 2025 Advisory Group on Data meeting show that the new Government is allowing civil servants in DH/E to access patient data for their work. (There are two items because there are two systems; at some point Palantir will replace both).

Under the previous government, this capability was only given to the “Private Office Data Science” (PODS) team, working directly on whatever the Secretary of State wanted. There is no transparency over the access when doing policy work for the Secretary of State yet normal civil service rules on access apply – which is, if the politicians ask for something, then a civil servant should give it to them. Instead of applying to policy drafts and consultation responses, the principle gets applied to your medical history and all your doctors’ notes. 

As Labour has made data skills something for all civil servants, all DH civil servants now have data access if they can justify it for any part of their public task – their ‘day job’ – no matter how tangential.  The Department of Health in England does not disclose what it wants these powers for, which suggests they will be used for whatever Ministers of the day want – the same decision Lloyds Bank made. DHSC will have the same capacity –  someone says using your medical history as they want is in line with the Civil Service Code then it will happen. For example, civil servants who staff the new “Patient Experience” directorate at DH/E, whose job over time will become hiding the patient experience from others.

If an ‘Expert By Experience’ discloses to a civil servant (or anyone working for what is currently NHS England) something about their experience, i.e. the topic of expertise, the civil servant will be able to use that “unique” experience you told them about to look at your entire medical history and read about anything you didn’t disclose. 

This access applies to everyone, not just those cooperating with the Department of Health in England. Lobbyists, MPs (especially rebels), public figures, are all equally at risk, whether or not they directly talk to the new “Patient Experience” directorate. This is in addition to the reidentification risk which remains trivial for anyone with a public health event that is uniquely identified in the health events data of the NHS (e.g. a man of a known young age having a kidney removed in a particular week in a particular hospital).

The 10 Year Plan says this:

The NHS never has the right to keep the public in the dark. That it so often does so reflects the centralisation of power and disregard for patient voice we identified in chapter 5.

At its worst, this status quo means the most severe cases of systematic harm go unnoticed and unchallenged for years. The past 4 decades have seen a litany of tragedies. Each of them was avoidable. Each suggests previous lessons have gone unlearned.

That is why we will make the choice to deliver full transparency. We recognise this will be uncomfortable for some in the NHS. We expect transparency to highlight new failings, show new problems with quality of care, and to put a megaphone to the mouths of complainants that have otherwise felt they are shouting into a void. We do this because sunlight is the best disinfectant – there is no other way to restore public faith, and to drive up quality for all.

These are nice words, but they are currently disconnected from both policy and from delivery. Maybe, like GP improvements, they’ll come sometime after 2035.

The NHS is watching Wes speed run the dictator’s dilemma (powered by Palantir). Putting everyone’s medical notes into Palantir for any civil servant to rifle through if they believe it is in line with the civil service code will fall far short of what is required for public trust. Trust requires evidence; by definition, “faith” exists in the absence of it, but when “chaotic and incoherent” Mr Streeting gets emotional, he demands staff do what he wants, and gets very angry when GPs and other doctors all care about their patients going beyond the political headline.

Data always gets shared

Item 9 of the same 12 june minutes also allows any new data held by DH/E to be given out to anyone who had any data for that purpose before. As things stand today, those additional accesses will not be included in the NHS England Data Uses Register, so there’ll be no transparency on whom that data is given to.

Item 5.1 of those same minutes show AGD taking a look at the Michelle Mone style antics of HDR abusing “Covid only” data rules; HDR may have taken a similar approach to the truthiness of its public statements. Of the projects that HDR asked AGD for a view on, the majority did not get support from AGD, showing just how rogue the HDR process has gone: HDR and Biobank share a culture and this may be the precedent for the new “Health Data Research Service” envisaged by the HDR “leader” who argues tearing up the “pandemic only” promise is entirely fine because they’ll gain from the change. 

==

medConfidential takes (and needs!) donations. In addition to our annual-ish newsletter, you can also join our free substack to get emailed whenever we post some news or commentary.

14 March update: UKBiobank lost most of their NHS data. They say any harm is the fault of patients not them.

10 Feb 2026 update: The Secretary of State for Health and Peter Mandelson’s political protégé has now Directed GPs to do this. GPs have been told “no action” is needed from them, but they must take the action of informing patients that the “pandemic only” dataset will now be used however Mr Mandelson’s political protégé may decide. GP Data Opt Outs will still apply.

Below written in October 2025:

There’s more to come

medConfidential has seen press reports there is a signed but unpublished Direction implementing UK Biobank’s plan to break pandemic-only promises of data uses, which will place GPs in an impossible position with their patients (which is not Biobank’s problem). It was due to be published yesterday (Thursday 16th October), but wasn’t after news leaked.

While NHS England staff considers a Direction to take effect when they publish it, this one will almost certainly require additional implementation actions before it has any effect beyond the destruction of trust and confidence that comes from the signature demonstrating that Mr Streeting believes it is acceptable for him to Direct the NHS to lie to patients.

The Direction can be held by the NHS England Board and sent back to DHSC for additional work (never to return in the same form). It is unclear what would have happened if DHSC had already taken over NHS England.

This page will be updated in future days

The opt out process continues to work.

The Health Secretary has told his friends that the first part of his “Single Patient Record” will be rolled out by the end of the year. 

We expect this rollout will be a “pilot” of the now-merged Department of Health in England (i.e. DH and the “abolished” NHS England) using government powers to impose decisions on the NHS frontline – not a pilot of a real ‘patient record’, nor real patient choice.

The stated policy intent; a politically-controlled centralised database of everyone’s medical notes with the catchy title “Single Patient Record”, potentially could be consensual, safe, and transparent. But given the approach being taken – using a single incumbent tech supplier (which makes political donations) – any political promises made may be no more reliable than their Trumpian equivalents.

This politically-controlled centralised database of medical notes will consolidate all of your medical notes from across the NHS, to be made available wherever the NHS logo is seen (and some government buildings that don’t have such signs).

This could be done well; it could be done badly. 

It could be done in such a way that you can see everywhere your record has been accessed from day one; it could equally replicate the secrecy-by-design of today, where Department of Health in England officials know exactly when and where your GP notes have been read by people other than your GP… but refuse to tell you. 

(If you were to ask the data controller, NHS England, for this information they would simply refuse to confirm that they know when and where your record has been accessed – instead sending you back to your GP, who won’t necessarily know because NHS England is the only one who runs all of those systems.)

You could be offered the option to decline such a risky service – for some, the known risks will definitely outweigh the known benefits – but that would involve consideration of patients, and this Department of Health in England thinks it knows better. This most certainly won’t be a pilot of patient interests.

We asked the Department of Health in England some questions back in April. Five months later, we have had no answers.

This “pilot” announcement appears to confirm supplier suspicions that the pre-contractual “Request For Information“ published earlier this year was a sham, and that Mr Streeting has already picked whatever winner he wanted from the existing NHS England suppliers. (As everyone should by now be aware, NHS England’s existing monopoly supplier for such technology is Palantir.) 

When Mr Streeting decides your medical records will be processed by his AI to determine your priority at A&E, you won’t have a choice. And when your local surgery gets closed and your GP is moved into a neighbourhood health centre, your GP will be required to use the new database – and will have no discretion over the way in which the information they are required to record will be used. (Mr Streeting has already announced that all consultations in all of his new centres will be recorded – and his new database will hold the summaries, the transcripts, and the audio recordings. 

We shall see what Mr Streeting announces, and how it compares to what his Department delivers over his time in office. It is becoming increasingly perverse that Wes Streeting is entirely dependent for delivery on a company whose corporate leadership is actively hostile to the success of his mission. Unfortunately, as ever, patients are caught in the middle.

ID Cards are back

Simultaneously to all this, the Government will try to reintroduce ID cards – starting with a stated policy intent that every employer must treat their British workers with the same assumption of criminality that the Home Office imposes on their colleagues born elsewhere.

There may be additional as-yet-unstated policy intents – or at least, as with the last attempt, further policy intents that won’t be briefed out fully until it’s clear people aren’t buying the previous one. Even before the formal announcement at Labour Conference, people are speaking out.

Digital ID cards policy will run into further trouble when other parts of government assume they are dealing with a “worker” and demand to see their ID. Will police officers have powers to demand you show them your ID by handing over your unlocked phone? Will train ticket inspectors insist on seeing it? How about bouncers outside bars or hotels? 

At this point, the Government seems more interested in grabbing headlines than answering questions. Let’s hope they listen sooner this time as well.

There’ll be more on ID soon, both here and at https://www.no2id.uk/

==

medConfidential takes (and needs!) donations. In addition to our annual-ish newsletter, you can also join our free substack to get emailed whenever we post some news or commentary.