Category Archives: News

8th December Bulletin

It’s been several weeks since our last newsletter, and a few things have happened.

A Good Thing: OpenSAFELY

The GP data analysis environment which is capable of being consensual, safe and transparent – known as OpenSAFELY – has announced that the NHS will continue support for their analytical environment, which does not create any additional copies of the data and which respects patient choices to opt out of data being used in ways they don’t want it to be.

Things of another kind

You may have received some junk mail (with an NHS logo) from a company called Our Future Health which would like to sell access to your DNA and medical history to allow others to find new medicines. We’ll have more on that in the New Year.

Government spending £480m on Palantir

The Department of Health in England announced they will spend £330m on Palantir software and an extra £150m on ‘improving’ Palantir – so it’ll cost more next time – which has proved a little controversial.

Palantir will get one or more copies of all health data used by the national NHS across England, and the Department of Health in England has also bought the software for your local NHS Integrated Care System (ICS), and may impose it on your hospital.  Whether your local hospital or ICS wishes to take up this “offer” from the Department of Health in England is supposedly up to them. Some officials have however said that while using Palantir might not be “mandatory” for other NHS organisations, there are disincentives to spend money on anything else. 

This announcement is a start line, not a finish line. Nothing much changes before March 2024.

The National Data Opt Out exists and works as it always has, although it could always be stronger. The Department of Health in England has not published enough details to know whether patients’ objections will be respected, whether and where it believes your objections don’t apply, and/or whether the Department of Health in England will make everyone opt out again. We have a lot more details here.

As things develop, if you wish to protect your and your family’s medical information, you will likely need to have both an (online) National Data Opt Out and a GP Data Opt out, as your GP data could be used locally in Palantir.

As lawyers continue to pore over the text, if the Department of Health in England does disclose that it has created a new opt out that you have to apply for, we will tell you. To find out, use the box on the right to join our mailing list.

Remember, the announcement of the winner of the contract is the start line for this national data programme. It has to get to March 2024 without collapsing, and there are plenty of precedents for such programmes not managing that.

What you can do

The National Data Opt Out does what it always has. We agree with the Department of Health in England that it could be better – they could do something about that, but they refuse to. 

The Department of Health in England currently only links to the National Data Opt Out, once again neglecting to point out that the GP Data Opt Out exists and works to block secondary uses of your GP data that may be copied into Palantir if it is not applied to your GP record.

Meanwhile, Palantir shareholders want twitter warnings on anything that suggests the opt out works… 

Seasons’ greetings

This is probably our last newsletter before the New Year. We wish you well for the festive season with your loved ones. If you are feeling inclined, medConfidential is always grateful for your support of any kind, and we are grateful that so many of you are on our mailing list. As ever, please do pass this Bulletin on to anyone to whom you think it may be relevant.

Warm wishes,

Phil & Sam

Palantir wins the Federated Data Platform contract (predictably) 

Having had a few days to find some more surprises and omissions in the statement to Parliament and the press release confirming that Palantir won the £330m FDP contract, we understand why it is confusing. The goal is, after all, to copy everything into Palantir and only get support afterwards – and to not allow anyone to say no.

On Saturday The Times (incorrectly) said there is no opt out; a day later, the Sunday Times correctly said there is. Things are clearly in a mess, but it must be remembered that last week’s announcement was a start line for this project, not a finish line.

In brief: The opt out exists just as it has previously, and nothing changes until around March 2024. Everything else is a currently mess; we’re working on it.

Slightly less brief version: The National Data Opt Out exists – it works as it always has, though it could always be stronger. NHS England has not published enough details to know whether patients’ objections will be respected, whether and where it believes they don’t apply, and/or whether the Government will make everyone opt out again. This is because there are no details of individual data flows in the FDP as yet; maybe by March 2024 we will know more. Maybe.

Some have read NHS England’s briefing to argue strongly that patients cannot opt out; medConfidential and others, however, work for a world where patients’ wishes are respected. Join our mailing list to find out how it goes, or opt out at any time.

We will continue to scrutinise details. NHS England could still decide that people’s opt outs don’t apply where they should, and officials will probably try doing this – which is akin to making you opt out again. NHS England talks about its five high level “priorities”, but data choices and uses and paperwork is about very specific purposes – exactly what data, to and by whom, treated how and for what uses (e.g. “strike analysis”), with or without respecting opt outs? The devil is in all the details.

We do not yet know whether those who have already expressed their wishes will have to do anything else – NHS England has not yet said whether Government will make patients opt out again, but as of now, the opt out process is enough.

The Details Do Matter

The Government is as committed to giving Palantir £500m over seven years (the current contract is for five) as it was to HS2 and Net Zero. If you wish to opt out, we have a page on how to do that. Many details are still to be argued about by lawyers and others, but you currently have the same choices after last week’s announcement that you had before.

As an administrative body, not the NHS in England, NHS England (NHSE) can only make decisions for NHS England. It can try to bully NHS Trusts and Integrated Care Systems into going along with its decisions – seemingly with limited success – but, as separate legal entities, ICSs and Trusts get to make their own decisions. Sometimes NHSE says Trusts “can” choose to use it, sometimes NHSE says they “will”. The comments published by the Science Media Centre demonstrate the lack of support that NHSE tends to respond to with strong-arm tactics.

While it is good that NHS England has an “engagement portal” of sorts, it will be far better when there is meaningful content in it – and when that content is entirely accurate and complete. 

We note that NHSE’s public press release was less informative than its statement to Parliament. And while the press release talks about “Trusts and ICSs” having access “from spring next year”, NHS England itself is notably absent from that timeline. 

Our current understanding is that NHSE will get access to data at the same time as Trusts and ICSs, when the “Privacy Enhancing Technology” is available. Previously, officials had suggested NHSE would have access before that. Of course, there is no obligation on NHS England staff to be fully candid in meetings, and someone decided not to make this all clear in the press release. This kind of decision has caused and continues to cause many problems.

NHS England has until around March next year to get its story straight, and for its officials to be transparent about governance and patients’ choices – hopefully far better than they managed on Radio 4’s Today programme last week.

(For example, GP data could at some point be copied into Palantir for where you live, and then copied elsewhere, unless you have done the separate GP Data Opt Out. Despite asking repeatedly, details on this are unclear. The Palantir Federated Data Platform is the first time that National Data Opt Outs and GP Data Opt Outs will overlap in this way, and we still have no idea how this is going to be handled – based on past behaviour, NHS England will probably just try to grab the data, because that’s what they instinctively do.)

“Direct care”

The heavy lobbying from NHS England has focussed on “direct care”. While it is unclear what direct care the bit of the Government that calls itself NHS England actually does, NHSE’s FAQ initially said (and some versions still do):

“Can patients choose how their personal information in the FDP is used for their care?

The new FDP will be used by NHS staff to offer patients care.

So, it is assumed that patients have given consent to access their personal information.

If patients do not consent to their identifiable patient information being used to support their treatment, they should email for information about withdrawing consent.

If a patient does not consent, it might affect their care.”

Then they took that text away. 

NHS England was correct that, in some circumstances, you can object to aspects of care that you don’t want, for any reason you like – this is normally referred to as “patient choice” – but it has apparently been decided by NHSE that such choice is not here and not now, any more. Or, to put it most generously, there’s no clarity. Again. (This is becoming a theme…)

NHSE is only clear that the National Data Opt Out and GP Data Opt Out do not cover direct care uses, and it is critical that that remains true; were it not true, that would be a resignation issue.

That an administrative body which treats no patients and runs no hospitals wishes to define some (or any) of its activities as “direct care” as a figleaf for processing data it otherwise could not access is spookily reminiscent of the failed GP data grab of 2021 and the catastrophic programme before that.

Confusion about purposes beyond direct care

Many people have noticed that the National Data Opt Out (NDOO) is somewhat limited – and, if you rely solely on the way NHS England chooses to describe it, it appears far from effective. But it exists. And it does work. Some argue that it is useless; we and others work to make it stronger and better.

For now, if you have chosen to do a National Data Opt Out, it does as much as it can be made to do currently, and will hopefully do more in the future without you needing to take any further action. (The same applies for a GP Data Opt Out, if you have done one of those.)

The National Data Opt Out was created to avoid a proliferation of new opt outs as new data programmes came along. So while NHSE could say that the NDOO doesn’t apply in a particular scenario, under the law (see below) and in effect it would be saying, “there’ll be a different opt out for that”. In practice, this is untenable, and it is precisely the reason why the NDOO came about. A single National Data Opt Out will eventually cover all dissentable processing, but that will take more campaigning. And lawyers. And time.

The day before the contract announcement, on the same page as the text above which confirms that you can opt out of data use for direct care, the FAQ said:

“Can patients opt out of their data being shared in the FDP?

No. Patients can only opt out of sharing their identifiable data for research and planning.”

A week later, the answer to that question now provides a link to the National Data Opt Out – so the answer was clearly not ‘No’ but ‘Yes’. Additionally, while NHSE attempts to narrow the opt out at any opportunity, the choice of words both initially and now reflect NHSE’s persistent belief – since its inception, and the ‘bad old days’ of Tim Kelsey and – that patients have limited rights, and that if NHS England wants to do something with data, or Government wants to do something with data, then they can ignore patients’ express wishes.

The FAQ does not say that NHS England will respect all of the rights of a data subject – for example, the right to object to unnecessary processing – instead it simply ignores that any inconvenient rights even exist. Courts tend to take a wider view…

NHS England might tell people in future that there is or will be processing of their data to which they can object, but to which NHSE will not apply the National Data Opt Out. This would be creating (yet) another opt out, and making everyone have to opt out all over again. Alternatively, NHSE could apply the National Data Opt Out to all such processing, despite what it is saying today. 

These are the two choices facing Government – and it should be clear that this is a Government decision, not an NHS decision. And when that decision is made, either way, the paragraph will have to be changed again. The current version is less wrong than simply saying “no”, but it’s still not right. Yet.

medConfidential does not believe anyone should have to opt out again – we can’t make that a promise because that’s a Government decision – so you should be able to make your NDOO choice now and not worry; but if you want to keep informed, join our mailing list for more as we know it.

Making inaccurate statements to the public

The FAQ mess – that it publicly stated contradictory things between last Monday and Friday – means that someone, somewhere inside NHSE, agreed that both statements were accurate at some point. Who changed their mind?

The same FAQ has previously claimed, “The existing web copy was produced in conjunction with Med Confidential”. This was not true, and in the weeks it took NHS England to remove that entirely false claim, we were assured that the FAQ ‘had process to follow’, and that it couldn’t be done quickly, as everything was checked. We never received a proper answer as to how that claim came to be made – officials seemed to be relying on a meeting in August 2022 for the claim they made a year later, as if they believed they had learnt nothing in the interim period. (Perhaps they didn’t.)

Even if one were to accept statements that such occurrences were honest mistakes, how many other similar mistakes are there in NHS England’s decisions? And why is it that those mistakes inevitably tend to benefit NHSE and fit its intentions, and remove choice from patients? Every. Single. Time.

Honest mistakes would go both ways; systemic failings only benefit NHSE.

No meaningful check, no meaningful challenge

NHS England’s “Check and Challenge” group met for the first time on Friday, but is only scheduled to meet once every two months. That means its first substantive meeting will be in January, and NHSE expects to start using Palantir in March, possibly even before the second substantive meeting of the group.

Even if the best possible questions having been provided with perfect information were to be asked at the January meeting, officials could (entirely reasonably) say, “We’ll come back to you on that,” and NHSE could do whatever it wanted – Palantir could even start running before the group meets again. It should be noted that some decisions made at this stage are irrevocable, and some very hard to roll back once begun.

We don’t expect the “Check and Challenge” group will be allowed to do much of either checking or challenging, and to make doubly sure they don’t – and in stark contrast to previous debacles like – medConfidential were not invited to join it.

One “check” the new group might discuss is “pseudonymisation”, and the extent to which NHS England will once again ignore that pseudonymised data remains personal data – and that, as such, any unnecessary processing is dissentable. So the NDOO should be applied. If not, the “check” group will be allowing NHSE to create a new opt out.

The group is not expected to publish minutes or papers, so we shall be FOIing them regularly which is a waste of everyone’s time. It should be noted that since “new NHS England” was formed, it does not promptly respond to requests for such things – the “Digital Data and Technology” subcommittee of NHS England’s Board, for example, refuses even to disclose its membership. 

Palantir Access To Data?

We don’t know what data flows will be in the Federated Data Platform as yet, as NHSE hasn’t told anyone. And we don’t yet know who will be auditing NHS England’s setup of Palantir – but we’ll certainly have questions for whomever it is. All we can do in the meantime is look at the data flows that were in the precursor system to the FDP in January and July of this year.

Notable in January was “strike analysis”, for which NHSE apparently used spreadsheets instead of Palantir Foundry – an item which conspicuously disappeared from the list in July, despite other items being “included for completeness to show a reconciliation with the original list of purposes”.

The July list gives sixteen purposes described as “system admin”, and we don’t know who those admins are. (This is why purpose descriptions are helpful; a feature Palantir Foundry has by default, which NHSE chooses not to reveal.) 

Hopefully when NHSE publishes the full list of which flows of data are being used for what – something they could choose to publish today on their engagement portal – we will know, and so will you. NHS England has signed the FDP contract, and all we know is that it would be illegal for Palantir to use data in ways that NHSE doesn’t allow – the problem being we don’t know what they don’t allow, and still know precious little about what they do allow.

Hopefully NHS England is better at writing and managing contracts than they are at writing FAQs. We don’t think this is a severe risk, but NHS England has failed at managing so many obvious risks, and so many bland reassurances have been shown to be untrue, that further bland reassurance at this point is clearly insufficient. 

If NHSE wants to use NHS patients’ data, it must provide full information about all of  the data it wants to use, how it will use it, and precisely what for, and for each flow, at each stage, either respect opt outs or explain clearly (and accurately!) why not.

The NHS procurement was done carefully, and had to be, despite some interests wanting to cut corners. But the contract was awarded, the facade fell, and Palantir sent round an unpublished briefing saying how wonderful Palantir is – ending with a quote from NHS England saying, “you have to liberate the data, and as we have done that”… 

Join our mailing list for more information as we know it.

Below is the text put together in pieces as we went through the documents for the first time:

According to the written statement to Parliament, Palantir won the £500m contract. The announcement is a start line, not a finish line. NHS England will now have to keep their contradictory promises. We’ll be here.

The Government is as committed to giving Palantir £500m as it was to HS2 and net zero. You still have choices.

If you wish to opt out, we have a page on how to do that (there are details to be argued about by lawyers), but you have the same choices today that you had yesterday.

NHS England can make a decision only for NHS England. NHS England can bully Trusts and ICSs into going along with it (seemingly with limited success), but as separate legal entities, ICSs and Trusts get to make their own decisions.

It appears Trusts/ICSs will not be able to start using it until “spring next year” (April?), because that is when the “privacy enhancing technologies” start, but NHS England will use the platform immediately, with or without those technologies.

NHS England’s FAQ used to say that opt outs don’t apply, but it now says they do. The day before the announced, The FDP FAQ started the answer to a question about opt outs applying with “No.”, and now is much of a vague yes. NHS England can still decide that the opt outs don’t apply where they should. We’ll continue to scrutinise details, because you shouldn’t have to opt out again. NHS England talks about 5 high level “priorities”, but data choices and uses and paperwork is about very specific “purposes” – what data, to what point, for what purpose (e.g. “strike analysis“), with or without opt outs? The devil is in all the details.

We do not yet know whether those who have already expressed their wishes will have to do anything else – NHS England have not yet said whether Government will make patients opt out again, but as of now, the opt out process is enough.

NHS England has until around March to get their story straight, be transparent about governance and patient choices, better than they managed on radio4; NHS England’s “mistakes” only seem to make life easier for NHS England…

NHS England gave a chosen few organisations different briefings on the 20th November, ahead of the announcement on the 21st, and we don’t yet know what else they’ve mislead people on, in the same way the FAQ used to say “no” to opt outs, and which now confirms you can opt out. We’ll update this page as we have more considered views.

Join our mailing list for more as we know it.

“Prospective medical records” via the NHS App

After 1st November 2023: If you have found this page after coming across something distressing and googling various terms, we’re sorry the Government has made the NHS and your GP put you in this position.

If immediate attention is required by what you have read, your GP will get in touch with you as soon as they read what you have already read (as you may have seen it before them). If you are immediately concerned and your GP has an out of hours message box, you can leave them a message asking for a call back when they’re open, or you can call 111. When this feature was being tested, people would think to call 999 or go to A&E (this is when to do that), and neither the Government nor NHS England did anything to minimise the fear or confusion you feel; they should have done so.

If someone else has become aware of information from misusing your app, NHS England give you no recourse. If you have become aware of something that was being withheld from you for legal reasons, please don’t harm your children, yourself, or anyone else.

The Government has contractually required your GP (in England) to facilitate access to “prospective medical records” from your GP record to the NHS app. From 31 October 2023, any correspondence sent to your GP will be available to you through the NHS app (and, over time, the NHS website).

In simple terms, these are letters about your care, not “to” you as such, but to/from different doctors providing your care, who may also send a copy to your GP. The doctors outside your GP have not been effectively told this is happening, and so won’t know to take it into account when writing the letters.

These may be distressing, as they may contain medical language you’d need to look up, they may discuss your mental health, and may contain bad news and diagnoses that the author of the letter expects a doctor to break to you with compassion.  You may also see how much work is shifted onto your GP from other parts of the NHS, and how secondary care “manages” their waiting lists. 

With the usual lack of attention to detail, Government and NHS England have not told anyone other than GPs that this is happening.

Online access will be helpful for most patients, but the process of making this available has created unnecessary risks and The Government with NHS England has chosen to leave them unaddressed, as described by domestic violence charity Refuge.

What happens next?

To implement the requirement placed on them, some GPs will text you to ask what you choice you would like to make, and some will turn it off until you ask them to turn it on for you. There are no government provided communications on this – every GP will have to do this all themselves. The Health Secretary has demanded it be on for everyone from day one, saying as his Tory Conference speech that family GPs “are even threatening to take the Government to court over our plans to let patients see their own test results on their own phones, rather than taking up a GP appointment. This clearly shows that the BMA leadership is not on the side of change, and they are not on the side of patients”. You will see these test results potentially before your doctor, and you may have to interpret them alone.

If this is harmful to you, you can ask for it to be turned off

If your device is not your own or is shared in a way which makes this uncomfortable, or you have reason to be concerned, you can send your practice a message asking for “prospective access” to be turned off for your record. (Deleting the NHS app isn’t enough if someone else knows your NHS Login username and password and has the app on their device).

You can’t see if others have accessed your record this way

Despite requiring access be made available, there is no requirement to see whether your record has been accessed to give the reassurance that your record has not been abused by others who may gain temporary access to your device.   If this feature were to be abused, the app gives you no indication that it has happened, so NHS England doesn’t care to protect you.

You should be able to see what’s in your record if you wish, and equally, you should be able to know how that record is accessed, but this government is playing contractual games with the biggest bit of the NHS that hasn’t yet gone on strike.

Access to records is a useful tool for the majority of people (and those it harms should be better protected than they are), but we await, more in hope than expectation, any announcement that NHS England will also provide the details of when your record has been accessed and from where. Will NHS England hold themselves to the same standards they mandate from others?

This process is a mess, and patients and GPs pick up the pieces. Again.

(That this change is being imposed at the same time as the “Palantir procurement” continues is a source of confusion, the reasons for which are… speculation)

Our Future Health is a company

As Our Future Health promotes itself ever more loudly and ever less clearly, this is medConfidential’s current view on the project, the commercial company that lurks within a charity, and promotes itself using the NHS logo. While our view may change as new information becomes available, we are concerned about the transparency and integrity of current public communications from Our Future Health Trading Ltd, and the scope for future changes.

If you don’t want to be involved, you don’t have to be, and you can just ignore Our Future Health (OFH) and any communications it sends. If you have already given them a DNA sample, you can tell them to destroy the DNA they collected from you using the multiple step process that begins on this page – do the “partial withdrawal” online, then email and state you wish to a “full withdrawal”.

If you have (or even if you don’t have) questions about the transparency and integrity of OFH statements, we observe that their FAQ entry entitled “How can I leave the programme?” does not include the above link to the page that tells you how to leave their programme…

Whether you sign up or not is entirely a decision for you and your loved ones – handing over your DNA and NHS medical history to a commercial company to sell has consequences on those biologically related to you, and as OFH expands to access other government data about you, it will include information on those you live with, both now and in the past.

The UK has a non-commercial Biobank with clear governance, whereas OFH exists to help “kick start” the life sciences industry with a company selling access to data and a charity doing marketing and publicity for the company.

There is a historical analogy. In the 1990s, there were two competing “genome projects”: the Human Genome Project was supported by the public purse and committed to public knowledge; a private competitor – the ‘Venterpillar’ – tried to privatise the lot, and went bust. Sir John Bell helped the Human Genome Project succeed, but switched sides to capitalise on the “life sciences strategy” he wrote.

Shortly after they were not mentioned in the “growth package”, OFH’s communications suddenly changed to highlight they had now half a million volunteers… What does “volunteers” mean? Why did the count of “appointments where they give a blood sample primarily for DNA analysis” largely disappear?

[This page was updated in June 2023 after the CEO resigned. A link to the opt out form was added in August, and a line was added in October 2023 when OFH started sending junk mail letters under an NHS logo, some of which offered a £10 shopping voucher (others did not). In December 2023 we added a line about risk scores. We will update the page again as new information becomes available.] 

The viability of the commercial company is unclear

Our Future Health has sent out around 10-12 million letters, and claim they have achieved half a million “volunteers”. At that signup rate, they cannot achieve the five million signups from the remaining population as required by their business plan. The consequences of this are unclear.

If you have a National Data Opt Out, you will not receive a letter addressed to you inviting you to sign up. You will still see all the adverts and the press coverage, and members of your family can still sign up and give a DNA sample which will relate to you as all DNA samples do. medConfidential understands (as of summer 2023) that OFH has not yet received approval to access NHS patient data, only to have addresses provided to a third party to invite people to sign up. In addition, OFH may also buy junk mail lists which contain your address, and may then send you a “Dear residents” letter as a result – this will not be addressed to you personally as they have no idea who the recipients are, only that an address might exist.

In 2024, OFH is wanting to create a ‘health risk score’ and place the burden on your GP to explain it to you. Replicating the decline of Zoe and other influencers towards selling “food supplements”, all of the incentives on OFH are to maximise that score while minimising their help and blaming the NHS for not doing more. Your doctor has professional obligations to you; OFH does not.

Here are our outstanding questions about Our Future Health which we don’t currently have reassuring (or, in some cases, any) answers to.

Questions For Individuals…

…about the signup process

  1. Which organisations have reviewed the current signup process and language for accuracy and transparency and to see whether it is misleading about (not) being an NHS project (which it isn’t)?
  2. If you don’t complete the process, at what stage does Our Future Health count you as a “volunteer” – the first time you click the first link? Is that inflating the “volunteer” count?
  3. Why doesn’t Our Future Health confirm that no data you provide will be used to help your care directly? (Something may be found that is eventually used to help everyone with that condition, but it does not come back to you directly.) Why does some marketing material suggest that ‘OFH will help your health’? 
  4. OFH does not currently offer rewards or incentives to sign up. Is this being changed? To be targeted at particular subgroups?

… about data

On the NHS confederation podcast, the new CEO of Our Future Health said:

“in the future, what we’d like to do is take consent to link to other records that the Government, and the Office of National Statistics for example, collect through the census, and other administrative databases”.

  1. Will any NHS body review requests for NHS data by projects approved by OFH?
  2. What data are currently proposed to be linked? How can that process change?
  3. What data are being discussed for linkage in future? What choices will be offered to about inclusion?
    • Specifically, are there discussions to link to data that “Government” holds about children’s education history from pre-school to post-education employment?
    • What plans are there to link to DWP’s (benefits/pension) data?
    • Will staff from DfE / DWP / etc have access to the data on the same terms as others?
  4. Do you know how consent for inclusion in the dataset can be withdrawn? What happens to data / samples held by OFH? Will they be destroyed?

Questions for Our Future Health

… about process

  1. When did OFH last confirm that all of what they told IGARD and CAG previously remains accurate? Are they willing to publish those documents? (our FOI hasn’t come back yet
  2. Why did the CEO resign so abruptly in June 2023? Was it related to the sudden change in public communications around the same time?
  3. When Our Future Health says “we will publish a list and summary of all approved studies on our website”, why is that less transparent and contains less detail than NHS England?
  4. We include more quotes from the new CEO’s appearance on a podcast below, but how many of those “future” promises are delivered today?

… about business models

  1. Can the company be sold to benefit the charity? (Just as Wellcome PLC was sold to benefit the Wellcome Trust, or as was bought by private equity…)
  2. When the company runs out of cash and goes bust, which it probably will, what happens to the data? Who can buy the DNA records and other assets in a firesale?
  3. Just as OFH is company owned by a charity, so was the creator of orkambi, who made decisions for the charity which proved extremely expensive to the NHS. Will any OFH success come at at the expense of NHS budgets?

Questions for public bodies

  1. If there is a discovery that can improve the nation’s health, will Our Future Health (“charity”) keep it secret for profit, or it will become available on the NHS for everyone?
  2. OFH is writing to everyone in the country; the vast majority are not signing up. Will OFH and associated projects be able to receive data on people who didn’t sign up using other methods?
  3. OFH lauds the supportive comments they hear from stakeholders; are all stakeholders kept fully informed of changes to OFH since they gave that support? Have you been?
  4. In light of the “broad consent” question / debacle with the vaccine taskforce, what happens if the “informed consent” that OFH collects turns out to be invalid?
  5. What possibilities has OFH discussed for expanding data linkage to other areas of Government, such as DWP or DfE? Will an NHS body be expected to review all or any projects using NHS data?
    • Given the approach being taken by OFH, what are the consequences for similar data linkage in the rest of Government and ADRUK/HDRUK?
  6. The Government’s “Data Protection and Digital Information Bill” (our briefing) removes penalties for misuse of data that is said to be “anonymous”, even if it isn’t. What are the consequences of that Bill on OFH’s customers and the promises it makes to “volunteers”?
  7. Sir John Bell, founder and prime mover behind Our Future Health, got his CH recently. What questions would the Palace ask before William/George would sign up? What are the answers? Why isn’t that information available to everyone?

It does not seem unfair to describe Our Future Health as two steps away from offering a chocolate bar in return for DNA and lifetime data access. [October 2023 update: OFH is now offering some people – but not all – a £10 shopping voucher in return for their DNA and lifetime data access.]

Recent quotes

As part of Our Future Health’s publicity push, they appeared on the NHS Confederation podcast to promote themselves. Strangely, the new CEO didn’t mention that he was about to get that job, and instead said: 

“…what it [UK Biobank] didn’t do was to allow individual level feedback to participants or volunteers in the study and see what action they could take themselves to prevent those diseases. That’s what we’re trying to do with Our Future Health now. It’s a successor study to UK Biobank, those who take part will have the opportunity to get individual disease level feedback in the future…”

“As of today, we have 500,000 people have signed up… and about 200,000 have attended appointments where they give a blood sample primarily for DNA analysis, and also have some physical measurements taken…”

“…in the future, what we’d like to do is take consent to link to other records that the Government, and the Office of National Statistics for example, collect through the census, and other administrative databases…”

“We’re not just giving people information that cannot be acted upon, as that’s not good for them, neither physical nor mental health. Initially, we’ll feedback information on disease where there are existing programmes for them to be dealt with, so for example, diabetes, ischaemic heart disease, heart disease, we have the existing NHS health check programme for people aged 40-74. What the additional information will gather through OFH is people will have more accurate information about their disease which can be dealt with when they go for their health check. Additionally, diseases like breast cancer, where we have a screening programme, being able to identify women who are at higher risk of breast cancer based on their genetic risk who are not identified, so who are not part of the screening programme, that will have to be done in close coordination with the NHS screening programmes as well. The whole programme is being done in partnership with the NHS, but its implementation, once the research phase is over, the implementation phase is a key challenge which we are aware of.”


Shortly after this page was first published, this FOI response came back:

Amendment 2

Amendment 1

Original request

The (McKinsey) Procurement (part 2)

When McKinsey was advising on the structure of the then “new” NHS England in 2013, McKinsey was simultaneously advising other clients how to take advantage of the structure they were recommending.

This year McKinsey won a £1m contract to advise on the structure of the (2023) “new NHS England” following the takeover of NHS Digital (and Health Education England). Presumably it continues to advise other clients how best to take advantage of those new structures, and past practice suggests McKinsey will be paid more money by others to subvert the model they proposed.

McKinsey doesn’t talk about their clients, but sometimes they are forced to by courts. One such client was IMS Health, which was set up to be the “information intermediary” between doctors and the makers of oxycontin, the drug whose sales practices were partially responsible for the opioid epidemic in the US, and which still operates in the UK (under the current brand of “IQVIA”) doing much the same thing as they have done before.

Does NHS England know who McKinsey’s other clients are? Does NHS England know whether they’ll benefit from knowing McKinsey’s advice to NHS England? Does NHS England know whether McKinsey advice was written in a way which might help those other clients? 

The ongoing trade in NHS information

NHS England is both a consumer of data via their analytics, and a producer of data for themselves and others. McKinsey’s report should have recognised this conflict of interest, and potentially managed it in better than the usual way (either of McKinsey or NHS England). The functions of the data safe haven, which should be to hold data, be accountable for what data is used and how, and offer multiple environments in which it can be analysed, should be transparently separated from the functions of the analysts who consume data they need to do their work.

Realisation will creep across NHS England that the data they hold is now almost all identifiable patient data, as they have the Personal Demographics Service, identifiable copies of HES, and the ability to match across different datasets on fields which they take no steps to protect. 

Indeed, Palantir is very proud of the fact that it offers exactly that functionality to clients, and Palantir never ceases to point out that whether any functionality is used is purely a choice of their client – it’s up to NHS England and the government of the day. Of course, not everyone at NHS England is racist and incompetent, but there are informed individuals with legitimate fears that someone elsewhere in the organisation is doing something stupid with the identifiable patient data that NHS England now hold; and they’re probably right.

McKinsey and Palantir aside, there’s a different contract with our old friends at PA Consulting for implementing the recommended changes, PA Consulting being the company who agreed in contract not to upload a lot of data to google’s cloud, and then did so anyway.

NHS England is not a data literate organisation

The new NHS England is not (yet) a data literate organisation – you only need to look at the difference between NHS Digital’s board papers, full of numbers, RAG ratings and trajectories of change over time, and the NHS England’s board papers, of essays which contain the minimal numbers. The old NHS Digital showed what it really was, whereas NHS England describes what it thinks something will be, with enough people commenting on drafts that anything interesting will be taken out.

Insight into flows of data between NHS Digital and NHS England disappeared when NHS Digital got abolished. We were expecting NHS England to restore that transparency by publishing their “internal data flow records” this week; they didn’t.

If the new model goes as expected, McKinsey may advertise a case study of the leadership of Tim Ferris, epitomised by his monologue to the first post-takeover NHS England Board meeting. “Taking the paper as read”, he then talks through it, (probably correctly) knowing that even this superficial detail was below the attention of the board. The integrity of his examples is clear from his anecdote about the value of the NHS App, delegated access, and his kids’ records.

It is possible that the papers of the digital subcommittee of NHS England’s board (which takes over the oversight role that used to be managed in public by NHS Digital’s board) will have such information, but none of it will be public.

After all, the structure of the “new NHS England” data functions will be reflective of the late-but-still-forthcoming statutory guidance for data functions in NHS England, which should have been in place before the merger happened. They weren’t, and still aren’t.

Is McKinsey’s “rightsizing” recommendation to get rid of experts who know something?

Professor Mazzucato’s recent book on consultants and consultancies explains how the choices and outsourcing of key work results in a hollowing out of Government, and a brain drain that makes them ever more dependent on ever more consultants. 

The opening chapter of the McKinsey book covers how those with the most experience are let go as McKinsey helps “rightsize” organisations, and the deaths that resulted from those choices. As McKinsey give the same advice over and over again, did they do something new this time?

Large consultancies only offer solutions which involve some future role for large consultancies. Approaches like Reproducible Analytical Pipelines, which are cheaper and more effective for all kinds of analysis, get deprioritised by the consultancy world as there’s little consulting money from that approach. 

Consultants everywhere, so how long until the NHS spend around Palantir costs more than the NPfIT? The currently published £480m tender only includes NHS England’s role, and NHS England is increasingly saying that Trusts, ICSs, GPs, and others will be expected to shoulder their own burdens for interacting with the system, and the way to minimise those costs is to pay Palantir more money, because interaction between Palantir and other systems is still manual (and will be unless a Trust cedes decision making to NHS England, importing the US model with NHS England acting as the insurer and decision maker rationing care).

Rest of Government: GDS embraces 1 Great Database State

We started our response to the current GDS consultation with an unanswered question: “Has Gov.UK ‘One Login’ metastasized from a “better login to government” project, to a “one identity to government” project?” The answer appears to be yes.

A recent meeting held during the consultation was told that the Government intent is to actively prevent individuals from having multiple Login accounts. A person may be able to have multiple email addresses – indeed, they may already do –  but Government would attach them to a single “identity”. This regulation allows that database to be shared in bulk.

This turns Login into a weapon of the database state that HMG has previously assured many times that it was not building. Were civil society lied to? Or has Cabinet Office changed its position without bothering to tell anyone?

At a roundtable on the consultation, GDS said about the Regulation that the “first use is one login”, which suggests there will be a second use. It is unclear to what extent DWP embrace one Login for Government for UC, or HMRC’s accountant services, or MoJ’s digital courts, or … Requiring judges or accountants to use their work identity for personal purposes seems an odd thing to do without consulting MoJ/HMRC.

Identities are multi–faceted

Indeed, many of the civil servants reading this will have a “work phone” as well as their own (personal) phone, and use separate work and home email addresses (as they should).

Some users of government services are required by regulatory bodies to use work email addresses, and while the left hand of GDS could require them to route personal use through their work address, the right hand of HMRC/MoJ/etc would tell them not to.

In practice, there will be “many to many” mappings as people are complex (consider an accountant who is also a magistrate and uses their maiden name for some things), and GDS will be unable to keep the “one account” promise to departments. 

Departments will have to assume that individuals will have the ability to have multiple logins (because they do, they will do, and will continue to do so), and can manage that if they know; whether GDS also adds burdens on citizens is something they can choose to impose.

Any attempt to deny this is the database state of the most naïve form.

This database will require people to have a working email and phone number

The GDS account creation process requires both a working email address and an active phone number to login. If you are missing either of them, then no access for you – and they have to work to login each time. 

GDS originally chose to require a UK phone number for refugees fleeing Ukraine who wanted to come to Britain to receive an update by email when the rules changed (since those people by definition were not in the UK, it was blatantly unreasonable to require them to have a UK phone number, which GDS refused to accept in private, and only updated the process after questions were asked in Parliament). GDS also required a UK phone number for Afghanistan refugees seeking email updates on how to come to the UK, but that group are still excluded. The current Government simply didn’t care enough to help that group.

GDS expects everyone to have an account over time, and therefore for this to become a full population database, consisting of verified ID, plus mandatory email and mandatory mobile phone number, whose only statutory basis is this Regulation. 

Creating a big database and taking unrestricted powers to share it 

To avoid digital disengagement for identity verification, we understand Government are expecting to have an “offline” process, which will store a set of identities to avoid offline revalidation each time, and that this caching would be equivalent to the digital system, which suggests that all identity data will be retained by GDS for an unclear period of time. 

The surprise, late and incomplete disclosure of this new identity database in Government raises some additional questions about the sharing of the identity information possible under the power being consulted upon:

  1. How long will “verified” identity information be held by GDS after verification?
  2. How often will someone with a 10 year passport have to revalidate? Does it change for a driver’s licence?
  3. For what purposes does GDS currently believe it will use the database it creates?
  4. This consultation proposes allowing the entire database to be shared, in bulk, to almost anywhere in Government for any purpose; why?
  5. Was anyone outside Government shown this policy before this consultation?

It appears that GDS simply made the decision for itself, with no informed input or discussion with civil society. That relevant information was withheld until after the consultation had opened reflects how recent engagement with PCAG/PIAF could be considered less than “lipservice”.

In some meetings, supposedly informed speakers have demonstrated a clear need to be reminded of the importance of the PCAG principles, and why they’re there, most notably the multiplicity principle where users with multiple identities – such as a work email address and a home email address – may use both without Government requiring them to connect the two. 

This week’s joint Blair/Hague handwaving is emblematic of a Regulation allowing Government to use and share ID databases however it wishes, without democratic restriction, oversight, or transparency, which ends badly.


Addendum 24/2: Some in Government apparently read our final link as suggesting that the HMG decisions on identity in and after 2023 will reflect the policies and practices of the Taliban, rather than as an illustration of the entirely foreseen consequence of HMG decisions from 2003 to 2021. This unexpected choice of affiliation may say more about the reader than the authors.

The (Palantir) Procurement (part one)

NHS England’s staff probably shouldn’t describe their “Federated Data Platform” in meetings as “The Palantir Procurement”, but they do, which is helpful as it makes understanding what they’re doing easier (why they’re doing it will be in a different post).

The tension at the core of the Palantir procurement is something like this:

If there’s a new pandemic (wave), NHSE feel they need to be ready, and so feel they need all the capabilities Palantir advertise, but that capacity must be permanently available in case Palantir’s statements about how quickly it can be set up are untrue.

They’re not entirely wrong, but those aren’t the only choices.

NHS England came under great pressure in the pandemic, and will spend any amount of money to avoid ever feeling like that again. That is true more widely – NHS England’s middle management will spend any amount of money to avoid feeling bad every so often, especially if it gets things for them, not the hospitals, GPs, and others who actually provide care every day.

£480 million for another way to build Reproducible Analytic Pipelines seems… excessive. Especially compared to all the other environments (which cost closer to £480k).

As we say in one of the twitter threads, there’s no coherent narrative in the tender to argue against, so here’s one thread on one question, and a link to more below.

What is that money being spent on?

Branding and ads? There’s no narrative in this tender, it’s a collection of things NHS England’s data team has been asked to do, with a massive cheque attached.

Despite the narrative, we can look at the purposes named in the (CPV) categories for the tender: 

  • 30211300 – Computer platforms
  • 72000000 – IT services: consulting, software development, Internet and support
  • 48610000 – Database systems
  • 72322000 – Data management services
  • 48612000 – Database-management system
  • 48613000 – Electronic data management (EDM)
  • 72317000 – Data storage services
  • 72319000 – Data supply services
  • 72310000 – Data-processing services

No healthcare, no logistics, no doctors, no patients, just data processing. 

But then we look at the initial uses:

NHS England also proposes to run parts of the NHS logistics system off Palantir – NHS England is not responsible for logistics, it just wants more dashboards. Dashboards are reasonable for managers who don’t deliver anything, but the full table excludes logistics experts from bidding on a logistics system. Why?

NHS England proposes to run virtual wards out of Palantir. NHS England doesn’t currently run any wards (those are run by your hospital), but it wants all the functions as if it did? Will care go from your hospital to the national funding body that is NHS England? Will this EPR be accredited? Will NHSE be inspected by CQC?

It makes no sense at all to glue together the logistics system for vaccines with the patient records for inpatients, but that is what NHS England data team wishes to do. All of the discussion about interoperability doesn’t seem to extend to their procured hospital EPR functions connecting to their procured logistics functions.

When drawing the interoperability diagrams, why isn’t logistics in here like the EPR functions? Why have only one system other than the historical artifact of incumbency? 

There is no reason that these are in the same procurement bucket – there are many EPRs, and many logistics systems available, but how many companies offer both to the level that can match the incumbent supplier? Given the massive expense being incurred, one hopes they would at least ask for most-favoured-nation on pricing and features.

It will be difficult – when trying to cover up the proprietary terms that were papered over in some places, but missed in others. The term “PBAC” is defined as “Policy Based Access Control (PBAC) model” in one place, then also referred to as a “purpose based access Control” elsewhere, which just happens to be the Palantir  brand name for that exact functionality.

The Palantir PBAC functionality is good, but it’s only useful if it’s used, and it can only be seen as trusted, in the TRE sense of the term, if it’s transparent. This is merely an incompetent coverup. Meeting the minimal legal obligations to the public will not be enough, and is not enough if you wish public confidence in your actions..

It’s unclear whether “data cleansing” and “data enrichment” can be done via API access alone. Which means there will be copies of data made, and one of the forthcoming twitter threads will show just how much data needs to be copied (what it comes down to is: everything). How many copies of data will each tender respondent create? How will patients be told when these extra copies leak? Because sooner or later, they always do.

Palantir’s entire operating model is sucking data out of other databases into their own systems – that was a choice on their part, and continues to be a design choice on their part, and it doesn’t have to happen. Tender respondents could create their tables and do cleansing in their own tables within the data controller’s existing database systems – it would add some complexity for contractors, with the benefit to the NHS that there would be no copies created outside of existing systems.

NHS England claims it has no obligations to move forward beyond this prospectus, which seems politically untenable given all the work that has gone into it. However, whether there are enough respondents who can respond to a big unique prospectus like this is unclear. NHS England has banned the GP IT suppliers from responding – those suppliers would avoid the highest risk consequence of this tender: the need to copy much data (they already have almost all of it).

It’s not a good tender, but it’s also the best you can get when you mix up NHS England’s sociopathic micromanaging with blame culture and the fear of anything they don’t absolutely control, and say to the data team, you’re now responsible, it’ll be your fault.

So the data team went to the market, showed the mess, and asked for ideas, which are all phenomenally expensive as NHS England want the headline contact to transfer all the mess onto the successful bidder, who in the small print will shift it all back again. 

Data is not the problem. Analytics aren’t the problem. Analysts could do all the legitimate analytics they wanted in any one of the Reproducible Analytical Pipeline environments that NHS (both opensafely and NHSD’s TRE), ONS, HMRC, or others use, but in all of those existing, functional, working environments, they have to write down what it is they want to do, and then the analytics get run; the appetite for that currently seems to be zero because of the obligation and necessity of writing it down.

We hope OpenSAFELY continues to exist after the current temporary extension ends in a couple of months – the scope of that existence will show the desire for modern ways of working and trustworthy analysis environments. But no one ever got fired for buying IBM Palantir, and the momentum for budgetary excess that comes with it. 

We have a twitter thread of threads about the tender which starts here, and will probably be more specific and more up to date as things evolve. As we write more documents on the tender, we’ll talk about them in twitter threads or future blog posts, and they should also appear here:

(a line that was unclear was clarified on 23rd Jan)

The first Goldacre Review

The Goldacre Review is a road map; it is also much more. In many ways it represents an alternative world view to that which is currently being built in ways that have failed at least three times before – not through any lack of political will or even resources, but through a failure of vision.

The choice now facing the country is whether the NHS will fully embrace and build a data infrastructure – which as the Review points out is “code and people with skills”, not beige or black boxes – that is open, collaborative and reproducible or whether, some honourable exceptions aside, it will persist with the status quo of closed, secretive and exploitative data use. 

A DHSC-commissioned Review has stated that the dissemination of pseudonymised (i.e. linked and/or linkable, individual-level) patient data is dangerous; something the Government itself acknowledged in Parliament last summer, which this Review has now confirmed.

Professor Goldacre says this is not a “new emergency” – indeed, the practice is endemic – but he is also very clear as to why alarm lights should be flashing. His Review details many of the specifics on pages 85-93.

This is a review of institutional processes, and while it recognises that critical patient-facing aspects of NHS data are damaged and/or unfit for purpose, the Review correctly notes that this is not the place to try to fix them. The NHS has to get its own data house in order before going back to the public. 

The success of a review such as this can only be measured by the things that change in the real world as a consequence. Will the research community, the institutions that claim to lead and support that community, and other institutional and corporate users of data now make the necessary changes with the levers available to them?

Open ways of working

The Review describes how open ways of working can be trustworthy and, more importantly, how they can work – but no review can mandate delivery. Nor does it dictate policy.

For example, DHSC has long attempted to “ban” “exclusive” data deals – which the Goldacre Review repeats as expected, while dancing around business models – but both miss the point. Those seeking to use NHS data rarely if ever do so on an “exclusive” basis, not least because it is in the nature of data to be non-rivalrous. What they seek is exclusive control of the insights generated from that data, which contracts entered into by NHS bodies repeatedly sign away.

An “exclusive” deal for data would in practice be harmful only in the context of a single data controller. Even were one hospital to sign up to such “exclusivity” – which as far as we know, none have – then the hospital down the road clearly would not, and should not, be constrained by that exclusivity.

Following previous messes involving, amongst others, Google DeepMind and Sensyne Health plc – none of which prevented those Trusts from cutting other deals with different companies – DHSC told Trusts not to sign ‘naive’ and ‘unsophisticated’ patient data deals and set up the “Centre for Data Expertise”, which has ever since been looking for something to do. The principles of the Goldacre Review should become the core task of that centre – since renamed the “Centre for Improving Data Collaboration” – that is, to assist and guide NHS bodies that are willing to implement open ways of working and the sharing of both code and outputs. 

Those who do not wish to modernise, whether they be NHS bodies or HDR UK, can sit on the sidelines and continue to waste public resources they have been given. The Centre, meanwhile, should help those who agree with the Review to implement it faster – including whatever DHSC and NHSEx commissions, and whatever the Service Transformation Directorate prioritises. That assistance should include supporting those who can already build better tools, not just favoured suppliers.

Just as HDIS was for the HES data, there should be similar arrangements for ICSs/ICBs and other geographies so that organisations can see the data they need to see. Some of these views will be from care providers / provider level, and some from higher level aggregators – with commissioners being able to see both the different models for their area, and the models for different interventions. 

The abolition of PHE and the move of some public health functions to the NHS should help ease historic turf wars. That this would be useful is demonstrated by the answer to the question, “Is there a public URL where anyone can see, for known defined geographic areas (councils, ICBs, etc.), the current top health issues in those areas, compared with areas nearby?”  (The closest answer to which appears to be one blogpost.)

That PHE was unable to publish NHS health measures at the level of CCGs – i.e. where the decisions were made – was not entirely its own fault, but it was never able to do so. In the more open culture of academia, we got openPrescribing for GP prescribing, but even that was limited as it wasn’t able to cover the £7.5 billion spent on hospital medicines.

Safe(r) ways of working

The Review’s call to apply different approval processes according to different data risks is far from unprecedented; ONS has been doing this for many years, for different datasets of different types. This approach has not previously been applied in the NHS, not least because of the acknowledged excessively high risk of giving out full raw datasets to anyone who wants them.

NHS Digital also operates under different constraints, in a different data culture. So while ONS is able to reject access to people it is not assured will follow the rules, NHSD is obliged to supply data to other public bodies which may make their own assurance decisions about their own suppliers, and where governance sanctions are practically non-existent.

There is also something of an obsession with “100%” health datasets, when those producing reliable national statistics know that ‘full coverage’ – such as with the census – is to all intents and purposes the same as a health dataset that has removed the records of every patient who has made a National Data Opt-Out. Indeed, even if NDOO was applied to GP data or hospital data, the remaining data would still have coverage greater than the census.

The suggestion of a ‘one stop’ approval shop is attractive to those who want to water down governance. IGARD and PAG (the BMA and RCGP’s ‘Professional Advisory Group’) have largely worked for GP data, but not entirely – in particular when NHS England “forgot” to inform them of various actions. While a group like PAG minimises the need for every GP to review centralised data extractions and access themselves, the basic principle that any data controller can ‘pull the plug’ is what keeps other parties honest – especially those whose strategic interests mean they are less than completely transparent.

TRE ‘wrappers’

The ONS ‘Five Safes’ model relies on the fact that everyone who comes into the safe setting is already within a trust boundary. Its own processes show that the NHS cannot and does not trust all of the people who would access data, and yet it has to give them data that is intrinsically unsafe. 

That NHS England trusts NHS England may be obvious; that’s not to say it is entirely wise. And NHSE’s ‘gatekeeping’ of data research post-merger will likely result in more limitations and rejections of bona fide research, given that in more than a few instances it is likely NHSE won’t like the answers…

Seeing which way the wind is blowing, meanwhile, HDR UK is shovelling money into “sprints” to discover ‘new tech’ for TREs. Its call is flawed and seems designed to to funnel money to incumbents. (That HDR UK wastes UKRI / MRC / ESRC / public funds is not our primary issue of concern. This does matter to all our research friends – but whether the 250+ who signed HDR’s open letter on research access to GP data last summer knew this was what they were signing up to is unclear. HDR did tell them… right?)

HDR UK was designed to build infrastructure. It has failed, and NHS England plans show that the NHS will be the reliable infrastructure provider for NHS data. On UKRI’s proposed budget allocation, MRC / HDR cannot currently afford to continue funding all of the hubs listed in the slide in its latest presentation. 

In reality, HDR UK has no framework to maintain infrastructure; it doesn’t know how to build infrastructure that people wish to use; and it doesn’t have any control over the data that can be used. No research programme can have lasting confidence in any research infrastructure provided by HDR or the hubs, for the simple reason that they have defined funding periods and cannot make commitments beyond those periods.

What happens to the next iteration of Farr / HDR UK is up for debate, and we have suggestions of where to start – but whatever it is must be much smaller than the 100+ people at HDR HQ, currently draining resources away from research.

While everyone tries defining “TRE” to mean what they want it to mean, a  number of likely models are emerging:

  • NHS England: addicted to its COPI powers, Palantir Foundry and dashboards; it may or may not commission its quarter-billion pound ‘Federated Data Platform’ from Palantir – but even if it doesn’t, will this historically closed platform (also) be NHSE’s ‘Planning TRE’? (Noting that, if it does plump for Palantir, NHSE will have the capability to automatically produce Personalised Data Usage Reports for every administrative use of NHS patients’ data by NHSE…)
  • OpenSAFELY: currently operating under COPI powers, NHSE’s data controllership and CMO sign-off; a ‘table server’, not a remote-desktop-style setting – but nonetheless a scaleable, safe way to produce non-disclosive results from specified, approved queries run on data in situ. (Could be used almost immediately to reduce burden on other stretched systems, but NHSE is refusing to make any policy decision until it has decided whether to ‘go / no go’ on Palantir.)
  • NHS Digital: has a functioning TRE in which COVID and cancer research is already being done. This TRE is sustainable, its scaling up was funded in March 2022 (amount unknown), and it replicates the ONS model which has been proven to work for researchers and analysts, and whose statistical outputs inform policy and decision makers for years.
  • DHSC / UKHSA’s ‘EDGE’ (now ‘eDAP’?): is described as “near critical national infrastructure” in its tenders, though I bet you’ve never heard of it. It’s not for direct care, so what it does clearly falls under the ‘Research and Planning’ (i.e. secondary) uses about which patients have choices.
  • ONS has the Secure Research Service, which already handles mortality data; there’s SHIP eDRIS in Scotland, and SAIL in Wales; Genomics England Ltd does genomic data; and there’s a proposed National Imaging TRE for training AI models…

Delivering the future

The Goldacre Review recognises, channelling Baroness Onora O’Neill, that the key to the future of health data is trustworthiness.

The merger takeover of the statutorily independent safe haven by NHS England will place the obligations on the public body that is NHS Digital onto NHS England. Some of those obligations are related to use of particular powers, some apply to the public body itself.

DHSC has thus far refused to produce a Keeling Schedule of how Part 9 of HSCA 2012 will look in the statute books when “the Information Centre” is replaced with “NHS England” – we assume because they’ve done the same work we have, and realise how ridiculous it looks. We look forward to seeing how Ministers’ statements at the despatch box will be implemented, if indeed they are even implementable.

NHS England does its own thing because its main job is to ensure there is always someone to blame other than DH and the Secretary of State. DHSC and NHSEx’s shared vision appears limited to “abolish NHS Digital, buy Palantir”, maintaining and expanding closed, secretive and exploitative data use that is not clearly in the public interest. 

This latest ‘transformation’ is not just a technical process or platform ‘upgrade’; it’s all about trust and the relationship between a modern, data-competent, data-functional NHS and the people it exists to serve – not the system itself.

We have plenty of evidence on the way officials convince themselves their last mistake was due to factors beyond their control. How they fail to learn lessons, and gradually walk themselves (and others) around in a circle to a new justification of the same old bad decision, with exactly the same goals.

This time, we have to do better.

“No one down here but the NHS’s most unwanted?”

Twitter exhaust suggests the cohort of tech-backgrounds who came into the NHS via NHSX have discovered ‘Seeing Like A State’, and may even be beginning to understand (a little of) why NHSX could not succeed. 

Some of the more advanced thinkers may have found Zacka’s ‘When the State Meets the Street’, a tech view of service delivery and moral agency. Moral agency in practice means realising that while those working on AI in NHSX may themselves be well meaning, the DHSC AI lab will always do things that are important to DHSC; that service design at NHS England will always prioritise things that are important to NHS England – and that patients and the NHS frontline lose in both scenarios.

The first Goldacre Review says the data risks are not a “new emergency”, but anyone who reads it will understand why alarm lights should already be flashing. It is likely that ‘Goldacre2’ will have to pick up the pieces where this Review went undelivered, and where the unevidenced assertion of a lack of urgency may have turned out to be overly optimistic.

The success (or not) of Goldacre1 will be measured in the Terms of Reference for Goldacre2.

No-one goes to work in the morning to be transformed; those who go to work to help people especially not. Matt Hancock appeared to understand this when he came up with the idea of an NHSX ‘with vision’, in ways that NHS England clearly didn’t when setting up the (National Health) Service Transformation Directorate – which in many ways is still Hancock’s Service Transformation Directorate, albeit without as much interest from political leadership. 

No longer named like the popular TV show from Matt Hancock’s youth, the STD risks replicating Mulder’s opening line from the X-Files. Goldacre1 could actually make it useful. It’s a vision thing.

Coverage of flying saucers and Nessie largely went away once we got good camera phones; data headlines should go away when the NHS gets open methods and reproducible analytics, all running in TREs. Any dashboard needed at any level of the system can be run that way.

The NHS is currently making a choice – or, more accurately, appears to be trying to rationalise choices it has already made – between investing in genuinely open, collaborative and reproducible data for planning and research, as laid out by the Goldacre Review, or persisting and spreading the status quo of closed, secretive and exploitative data use that is so toxic to trust.

Which is not what anyone wants.

Enc docs:

Good TREs Work

Each December we look at the year’s progress towards telling patients how data about them is used (from 2014 2020).

Good TREs Work, and good Trusted Research Environments are working. The remaining hold-outs are those whose ideology requires data to be copied in the shadows, avoiding both transparency and accountability.

All dissemination of linked patient-level data is unsafe, but some is self-evidently more dangerous than others – such as organisations receiving the same data for the same people for the same month, one set with opt-outs applied and one without opt-outs applied. We have ‘red flagged’ such organisations on, and they should be required to use the TRE for all future projects that need data each month.

Data recipients like these pose an unjustifiably high, systemic risk – especially when it has been shown that Good TREs Work.

2021, and what’s next? 

GP Data for Planning and Research (GPDPR) collection is paused until NHS Digital’s TRE is working for all GP data, which it is not yet in a position to deliver. While Good TREs Work, NHS Digital has not yet delivered a TRE which is as good for everyone as the Secretary of State has committed them to doing – and as NHS England is actively undermining it from doing.

GP data cannot be collected until access is TRE-only, and there’s still quite some way to go on that. We would include details of how long that is likely to be, but NHS Digital does not publish the data that would allow that figure to be worked out.

The Goldacre Review should have been out by now – it is still due ‘soon’ – and in data terms it is expected to be largely uncontroversial. The handling practices of both GP and Hospital data have been dangerous for decades, but they can and must be reformed.

Hopefully NHSX, NHSD and NHSE will finally recognise that danger, and what the 2021 ICO Code of Practice on Data Sharing, (UK) GDPR and the 2018 Data Protection Act all say – that dissemination of highly detailed, sensitive personal data on the entire population of England can result in re-identification, including through the event dates that are entirely unprotected in the datasets. Continued denial of this danger will result in NHS patients being identified, as happened in Australia

For 2022, we have updated the data usage report mock-up we first drafted in 2014

The most noticeable changes in the report are the organisational names and logos, but the principles of consensual, safe, and transparent data handling remain. All data handling by NHS bodies could be transparent, and the data uses register format NHS Digital moved to in 2021 is an improvement – but bodies like NHS England, for example, still choose not to say how its COVID-19 Data Store was helpful in the pandemic.

With only twenty projects admitted to by NHSE, the panoply of missteps that occurred in the pandemic seems less surprising – if no less shocking – and there’s no published evidence of any value in Palantir Foundry at all. (We go into more detail on this in the available next steps to Data Usage Reports (2021).)

AI and data governance

As AI moves out of DHSC and the civil service into the “real” NHS, it will have to justify the budget and resources it has been given. Though there is a point in time in the history of everything that works when it didn’t work, there is never a point at which those things that don’t work did, no matter how much money was spent.

The AI strategy will re-emerge at some point, and NHS England will get to reconsider it. Our straightforward advice is this: one third the length, one third the budget, and three times the vision. Under NHSX, things have gone in the opposite direction…

DHSC and corporate interests are not the same as doctor’s interests or patient interests. Not even close. Recognising the AI advisory and former No10 Chief of Staff’s view of international agreements – that subterfuge and double-dealing are legitimate between parties – every supplier to the NHS should be required to provide a “datasheet for datasets” for every dataset it was trained on (and to check all the IG) so as to stop ‘data shortcuts’ being profitable.

Public and professional unease around both genomic data and AI is not limited to data governance. That Genomics England handles data safely does not eliminate concerns around how it may be used, e.g. for newborn baby screening. Just because something can be done with data, and can even be done safely, does not mean that it should be done at all.

COPI renewal – choosing a better timing cycle

COPI remains in force, and it is unlikely that DHSC will be able to make a good decision on renewal in any February or August. The March and September dates are simply a legacy of when the pandemic started and a 6-month renewal. This being the case, if HMG believes the pandemic really is ending, the next COPI extension should be for just three months – which would also put things onto a more reasonable cycle of making decisions before and after winter, not in the middle of it, should another variant emerge. 

Will they ever learn?

In the context of the Government’s “new direction” on data that will make it harder for people to understand what is being done with their data, and easier for companies and authorities to use it beyond people’s expectations, NHS England’s hostile takeover of NHS Digital means all of these risks and responsibilities will become theirs.

The public may have been generally confused by who and what NHS Digital is – a symptom of what the Wade-Gery Review referred to as ‘split responsibilities’ and a ‘fragmented’ landscape – but everyone can understand that the institution Directed by Government that is NHS England is neither your doctor’s friend, nor yours.

In 2014, NHS England blamed the Health and Social Care Information Centre for its own debacle, requiring HSCIC to cede more control, have an NHS England Board chair, and an organisational rename to NHS Digital – which is precisely who NHS England and NHSX (i.e. NHSE + DHSC) now blame for the collapse of GPDPR in the summer of 2021, a programme over which they had final say. Clearly no-one learned the lesson the architect of was forced to, seven years ago: “We do not subscribe to artificial deadlines here – we will roll it out nationally only when we are sure the process is right.”

DHSC’s commitment to TRE-only can be delivered, and NHS Digital has started to deliver it – with 125+ organisations using some form of NHS Digital “system access”, according to its release register.

Trust requires transparency

The risks and issues around Hospital data and those of GP data are by and large the same. And in medConfidential’s dealings with NHS Digital / HSCIC over the past decade it has always been clear that hoped-for improvement was not just possible but eminently feasible. Yet, despite this, progress towards a TRE for all secondary uses of patients’ data and personalised data usage reports for each patient has been minimal, at best in only minor increments. 

Lack of progress has in large part been due to DHSC disinterest, lack of adequate resourcing, and the outright intransigence and active kneecapping of positive intentions by NHS England. The evasions and lack of transparency around NHS England’s COVID-19 Data Store only highlights its culture of secrecy and contempt, suggesting a new corporate attitude and approach will be absolutely essential should NHS England come to govern all patient data in the English NHS. 

NHS England’s fear of transparency and accountability are not necessarily irrational, however. Senior officials know what they and their NHS England colleagues already do with data, and clearly believe it would not stand up to public scrutiny – issues that Baroness Harding will know from experience have very real consequences. Is it really true that during the entire pandemic, with the unprecedented amount of health data it hoovered up under extraordinary powers, only 20 projects used the tens of millions of NHS patients’ data in NHS England’s COVID-19 Data Store? 

If it persists in the absence of good governance that characterises its handling of our data, and with its favoured scapegoat no longer available to blame, NHS England may in the next act be exposed as the true cause for data despair.


ONS analogies with NHS Digital datasets

Data Usage Report (2021) example

Available next steps for Data Usage Reporting (2021)

GOV.UK’s Black App: and in the darkness (Departments) bind them…

When DHSC specified the NHS App’s features, it was was a near-certainty that GDS would (eventually) copy the game plan: a cross-GOV.UK app – a webview onto existing GOV.UK information and services – being almost inevitable due to the machinations, and lack thereof, by Whitehall Departments.

NHS and app logos

Unsurprisingly, in the closing weeks of a spending review, with new digital management, and after a crisis in which such an app probably wouldn’t have made much difference, but in a world where HMG wants to own vaccine certificates, and NHSX(etc) very much wishes not to, the GOV.UK ‘black’ app was announced.

The approach being taken will in all likelihood dissolve the ‘hard boundary’ between the NHS and government – but, of course, do nothing to actually help social care where that boundary is already blurry…

A GOV.UK app won’t provide anything an online GOV.UK service doesn’t do already – or will do, by the time you are ‘nudged’ to use it – but it will give the Cabinet Office new and greater powers over other Departmental services. And with these new powers will come (some) new responsibilities, such as for the hostile decisions Departments make in their own narrow interests (which our work elsewhere has found widely: e.g. 1A, 2A, 4D, 4E, 5E, 5J, 5L).

On the one hand, GDS’s excuse of “It’s not our service” will cease to be sustainable; on the other, the “One Login” for the (whole of) GOV.UK will give it a stick with which to rein in the worst of the Home Office / DWP digital divide…

Will the dark arts permeate the Black App? And since the answer is yes, where?

Cross-service tracking and analytics

The introduction of cross-service tracking and web analytics will allow unprecedented monitoring and investigation of causality and consequences, such as:

  • Does being sanctioned cause you to look up food banks?
  • How many people do that in the app each week?

Even if it chooses not to publish the statistics – as it really should for public services, paid for by public money, serving members of the public – civil society will be able to FOI official Government analytics to show how harmful a policy is, down to specific constituency level…

Also, when one service accessed via the Black App asks about a vulnerability, and when there is a ‘single view of Government’ via the app, will the legal position be that “all” of Government should then know about it?

  • Will DVLA be permitted to maintain institutional ignorance?
  • Will DWP?
  • What about where one Department accepts a UK resident is a victim of modern slavery, but another Department on the next screen refuses to believe it?
  • What about Settled Status

Where will the balance of benefits between the citizen and state lie?

As Richard Pope highlighted in his investigation of the systems of Universal Credit, “are the advantages of digitisation being shared fairly”, or will Government’s focus on automation once again prioritise its own ‘efficiencies’ over those of the public – offering no substantive benefit to citizens beyond “Look, it’s an app!”.

User-hostile design choices

Typical of the world view of many we deal with, Home Office front line officers have demanded to see the e-mail that the Home Office itself sends out about Settled Status as “proof” of people’s Settled Status. Yet that e-mail clearly states that it and the letter attached to it are not proof of status.

We revisited the Settled Status scheme, where refusal to provide offline alternatives to a ‘digital first’ service is causing widespread difficulties, distress and discrimination – which could be avoided by something as simple as recognising paper credentials, which is the way Home Office officials appear to be treating the letter from Home Office in any case. Initiatives such as the ‘COVID Pass’ in the NHS App have demonstrated it is entirely feasible to provide a signed credential for people to hold on their phone at high volume events.

Of course, such user-hostile choices are not just made by the Home Office but across Government.

Those who encounter the greatest burden in one place will face it in many (Annex 2 and 2A). At some point, someone will have justified adding each one of the different procedural burdens that we list in Annex 5; sometimes those justifications may even have made sense. But some of those justifications will have included a Departmental assumption that it is the role and function of citizens and service users to satisfy the whims of the Department…

That those who encounter the greatest burden in one place face it in many is one reason we focused on parents of newborns in Annex 7: “Baby then bureaucracy – the paperwork of new parenthood”, where one would think (or at least hope!) that the policy intent would be closer to, “We’re keen to help, we just need to check a few things first”.

The choice of permissions for Geolocation

While many are accustomed to using them in their daily lives, apps introduce scope for unprecedented levels of surveillance. One of the things a permanently-installed app on your phone can do that a web page cannot do is permanent geolocation. While it’s impossible for a web page to track your location (‘with permission’, of course) when it is not open; an app can do so. 

Our work on UC shows DWP will use any form of algorithmic cruelty it can find. Requiring UC claimants to submit to permanent geolocation is exactly the type of thing DWP would demand, and keep demanding, until it got permission. Could the Central Digital and Data Office and GDS, as a split leadership, reject those demands? (Noting the Home Office will probably find a reason to access geolocation too…)

In response to COVID-19, DWP figured out that the easiest option for DWP is to treat claimants like hostage takers and demand ‘proof-of-life’, with selfies holding up newspapers. 

As an aside, when the postcode centroid algorithm (and the errors therein) is compared with the GPS location (and the errors therein), who will suffer? UC would rather punish claimants than admit systemic failings.

For these and many other reasons, prior to launch, GDS must therefore explicitly ban any geolocation that isn’t on an “allow once while using the app” basis and for platforms without that as an option, GDS must design and implement a best-quality user journey which takes the user via their system web-browser to perform a one-time location and then return them and the single-use coordinates to the app

Departments may be even less accountable for user hostile decisions than facebook or youtube, as the view of the Government’s internal ‘Fraud Profession’ is that citizen requests are frauds until proven otherwise, beyond doubt – and that the civil service never makes an error, until proven otherwise beyond a reasonable doubt. (And for the latter, such investigations rarely take place.)

The use of devices and device services to exploit users by underhand means in pursuit of power and profit has been led by Facebook. Unfortunately, unless abusive techniques are explicitly forbidden, Home Office and DWP acolytes will most likely see the ‘ingenuity’ of Facebook’s engineers as a playbook, and a feature list – not a recognition of the moral decrepitude of their monster factories.

Civil Service silos 

That DWP is forced to accept a GOV.UK Account for Single Sign On via the Black App means it will also have to accept it via the main UC website – both because the app is at its core just a view onto a web page, and because it would be untenable to force people to only ever use the app if they first used the app.

As soon as the Black App is launched, absent formal monitoring and enforcement otherwise, any Department will be able to exploit the full range of sensors in any device on which it is installed. The delegated nature of services means the Home Office, DWP, et al. do not and will not need to ask for central permission; what the web view does will be entirely within their control, especially on Android where protections are weaker. 

Meeting whose needs?

An app satisfies the CDO / CDDO / CDIO / CDEI / EIEIO / etc. need for the perception of institutional simplicity. Commentary on Twitter suggests at least some civil servants have read ‘Seeing Like a State’, which illustrates and explains how Governments do things because they make Government’s job easier, rather than necessarily helping the people they claim to serve.

In this context, Zacka’s ‘When the State meets the Street’ should also be required reading, as the business GDS is getting into with the Black App is front line service delivery for all of Government, at a level far deeper than just “meet user needs*”. 

In terms of needs, both individual and institutional, and given so much time in public services is taken up by complex cases – those with past traumas causing current difficulties – what would a trauma-informed interface look like?

It’s unlikely to appear in the Black App, but it could well do somewhere else…

For more detail and background, see our core report, ‘Decoding the Algorithm and Data Choices in DWP’s Monster Factory’ and complete list of Annexes – of which these are most relevant: