As Our Future Health promotes itself ever more loudly and ever less clearly, this is medConfidential’s current view on the project, the commercial company that lurks within a charity, and promotes itself using the NHS logo. While our view may change as new information becomes available, we are concerned about the transparency and integrity of current public communications from Our Future Health Trading Ltd, and the scope for future changes.

If you don’t want to be involved, you don’t have to be, and you can just ignore Our Future Health (OFH) and any communications it sends. If you have already given them a DNA sample, there is a two step process for telling them to destroy the DNA they collected from you that begins on this page – do the “partial withdrawal” step on that page, and then email support@ourfuturehealth.org and state you wish a “full withdrawal”.

If you have (or even if you don’t have) questions about the transparency and integrity of OFH statements, we observe that their FAQ entry entitled “How can I leave the programme?” does not include the above link to the page that tells you how to leave their programme…

Whether you sign up or not is entirely a decision for you and your loved ones – handing over your DNA and NHS medical history to a commercial company to sell has consequences on those biologically related to you, and as OFH expands to access other government data about you, it will include information on those you live with, both now and in the past.

The UK has a non-commercial Biobank with clear governance whose governance failed under scrutiny, whereas OFH exists to help “kick start” the life sciences industry with a company selling access to data and a charity doing marketing and publicity for the company.

There is a historical analogy. In the 1990s, there were two competing “genome projects”: the Human Genome Project was supported by the public purse and committed to public knowledge; a private competitor – the ‘Venterpillar’ – tried to privatise the lot, and went bust. Sir John Bell helped the Human Genome Project succeed, but switched sides to capitalise on the “life sciences strategy” he wrote.

Shortly after they were not mentioned in the “growth package”, OFH’s communications suddenly changed to highlight they had now half a million volunteers… What does “volunteers” mean? Why did the count of “appointments where they give a blood sample primarily for DNA analysis” largely disappear?

In mid-2024, as OFH send out more bribes in junk mail letters, we note this talk at the RSA by Sir John Bell CH, Chair of Our Future Health, about their plans including drugs being injected at the discretion of DWP and the job centre without your GP (because of the “limited requirement for doctors”) on screen at 32:46

[This page was updated in June 2023 after the CEO resigned. A link to the opt out form was added in August, and a line was added in October 2023 when OFH started sending junk mail letters under an NHS logo, some of which offered a £10 shopping voucher (others did not). In December 2023 we added a line about risk scores. We will update the page again as new information becomes available.] 

The viability of the commercial company is unclear

Our Future Health has sent out around 10-12 million letters, and claim they have achieved half a million “volunteers”. At that signup rate, they cannot achieve the five million signups from the remaining population as required by their business plan. The consequences of this are unclear.

If you have a National Data Opt Out, you will not receive a letter addressed to you inviting you to sign up. You will still see all the adverts and the press coverage, and members of your family can still sign up and give a DNA sample which will relate to you as all DNA samples do. medConfidential understands (as of summer 2023) that OFH has not yet received approval to access NHS patient data, only to have addresses provided to a third party to invite people to sign up. In addition, OFH may also buy junk mail lists which contain your address, and may then send you a “Dear residents” letter as a result – this will not be addressed to you personally as they have no idea who the recipients are, only that an address might exist.

In 2024, OFH is wanting to create a ‘health risk score’ and place the burden on your GP to explain it to you. Replicating the decline of Zoe and other influencers towards selling “food supplements”, all of the incentives on OFH are to maximise that score while minimising their help and blaming the NHS for not doing more. Your doctor has professional obligations to you; OFH does not.

Here are our outstanding questions about Our Future Health which we don’t currently have reassuring (or, in some cases, any) answers to.

Questions For Individuals…

…about the signup process

1. Which organisations have reviewed the current signup process and language for accuracy and transparency and to see whether it is misleading about (not) being an NHS project (which it isn’t)?
2. If you don’t complete the process, at what stage does Our Future Health count you as a “volunteer” – the first time you click the first link? Is that inflating the “volunteer” count?
3. Why doesn’t Our Future Health confirm that no data you provide will be used to help your care directly? (Something may be found that is eventually used to help everyone with that condition, but it does not come back to you directly.) Why does some marketing material suggest that ‘OFH will help your health’? 
4. OFH does not currently offer rewards or incentives to sign up. Is this being changed? To be targeted at particular subgroups?

… about data

On the NHS confederation podcast, the new CEO of Our Future Health said:

“in the future, what we’d like to do is take consent to link to other records that the Government, and the Office of National Statistics for example, collect through the census, and other administrative databases”.

5. Will any NHS body review requests for NHS data by projects approved by OFH?
6. What data are currently proposed to be linked? How can that process change?
7. What data are being discussed for linkage in future? What choices will be offered to about inclusion?
   • Specifically, are there discussions to link to data that “Government” holds about children’s education history from pre-school to post-education employment?
   • What plans are there to link to DWP’s (benefits/pension) data?
   • Will staff from DfE / DWP / etc have access to the data on the same terms as others?
8. Do you know how consent for inclusion in the dataset can be withdrawn? What happens to data / samples held by OFH? Will they be destroyed?

Questions for Our Future Health

… about process

9. When did OFH last confirm that all of what they told IGARD and CAG previously remains accurate? Are they willing to publish those documents? (we published them below) 
10. Why did the CEO resign so abruptly in June 2023? Was it related to the sudden change in public communications around the same time?
11. When Our Future Health says “we will publish a list and summary of all approved studies on our website”, why is that less transparent and contains less detail than NHS England?
12. We include more quotes from the new CEO’s appearance on a podcast below, but how many of those “future” promises are delivered today?

… about business models

13. Can the company be sold to benefit the charity? (Just as Wellcome PLC was sold to benefit the Wellcome Trust, or as ancestry.com was bought by private equity…)
14. When the company runs out of cash and goes bust, which it probably will, what happens to the data? Who can buy the DNA records and other assets in a firesale? [December 2023: the £51m of public funds announced in the November budget should help with that]
15. Just as OFH is company owned by a charity, so was the creator of orkambi, who made decisions for the charity which proved extremely expensive to the NHS. Will any OFH success come at at the expense of NHS budgets?

Questions for public bodies

16. If there is a discovery that can improve the nation’s health, will Our Future Health (“charity”) keep it secret for profit, or it will become available on the NHS for everyone?
17. OFH is writing to everyone in the country; the vast majority are not signing up. Will OFH and associated projects be able to receive data on people who didn’t sign up using other methods?
18. OFH lauds the supportive comments they hear from stakeholders; are all stakeholders kept fully informed of changes to OFH since they gave that support? Have you been?
19. In light of the “broad consent” question / debacle with the vaccine taskforce, what happens if the “informed consent” that OFH collects turns out to be invalid?
20. What possibilities has OFH discussed for expanding data linkage to other areas of Government, such as DWP or DfE? Will an NHS body be expected to review all or any projects using NHS data?
    • Given the approach being taken by OFH, what are the consequences for similar data linkage in the rest of Government and ADRUK/HDRUK?
21. The Government’s “Data Protection and Digital Information Bill” (our briefing) removes penalties for misuse of data that is said to be “anonymous”, even if it isn’t. What are the consequences of that Bill on OFH’s customers and the promises it makes to “volunteers”?
22. Sir John Bell, founder and prime mover behind Our Future Health, got his CH recently. What questions would the Palace ask before William/George would sign up? What are the answers? Why isn’t that information available to everyone?

It does not seem unfair to describe Our Future Health as two steps away from offering a chocolate bar in return for DNA and lifetime data access. [October 2023 update: OFH is now offering some people – but not all – a £10 shopping voucher in return for their DNA and lifetime data access.]

Recent quotes

As part of Our Future Health’s publicity push, they appeared on the NHS Confederation podcast to promote themselves. Strangely, the new CEO didn’t mention that he was about to get that job, and instead said: 

“…what it [UK Biobank] didn’t do was to allow individual level feedback to participants or volunteers in the study and see what action they could take themselves to prevent those diseases. That’s what we’re trying to do with Our Future Health now. It’s a successor study to UK Biobank, those who take part will have the opportunity to get individual disease level feedback in the future…”

“As of today, we have 500,000 people have signed up… and about 200,000 have attended appointments where they give a blood sample primarily for DNA analysis, and also have some physical measurements taken…”

“…in the future, what we’d like to do is take consent to link to other records that the Government, and the Office of National Statistics for example, collect through the census, and other administrative databases…”

“We’re not just giving people information that cannot be acted upon, as that’s not good for them, neither physical nor mental health. Initially, we’ll feedback information on disease where there are existing programmes for them to be dealt with, so for example, diabetes, ischaemic heart disease, heart disease, we have the existing NHS health check programme for people aged 40-74. What the additional information will gather through OFH is people will have more accurate information about their disease which can be dealt with when they go for their health check. Additionally, diseases like breast cancer, where we have a screening programme, being able to identify women who are at higher risk of breast cancer based on their genetic risk who are not identified, so who are not part of the screening programme, that will have to be done in close coordination with the NHS screening programmes as well. The whole programme is being done in partnership with the NHS, but its implementation, once the research phase is over, the implementation phase is a key challenge which we are aware of.”

Addendum

Shortly after this page was first published, this FOI response came back:

Amendment 2

• CAG Application April 2023 ADDITIONAL INFORMATION.pdf
• CAG response regarding letter variant testing May 2023 FINAL.pdf
• CAG-Amendment-Application April 2023_FINAL1 redacted_Redacted.pdf
• CAGSF6-Annual-review-April 2023 – FINAL_Redacted.pdf
• Response to questions raised by CAG Amendment Application April 2023.pdf

Amendment 1

• 22CAG0051 CAG Amendment request Jan 2023_Redacted.pdf
• CAG 22AG0051 Our Future Health Amendment Application 9-11-22_Redacted.pdf
• CAG Amendment Application ADDENDUM on opt out and PPIE Feb 2023.pdf
• CAG response from Our Future Health 07032023.pdf
• CAG-Interim Amendment Application March 2023_Redacted.pdf
• NHS Digitrials invitation_V3.2_tracked.pdf
• [CLEAN] 3 Protocol V4.0 FINAL_15DEC2022_Redacted.pdf
• clarification on proportions_Redacted.pdf

Original request

• 22CAG0051 CAGSF1 CAT advice form OFH _FINAL.pdf
• 293316_21EE0016_(RTB)_Favou_Redacted.pdf
• 4372 OFH – Consent Form_June_print_Redacted.pdf
• Appendices 1-5 OFH Comm plan.pdf
• Appendix 7_Detailed Data Production Flow 1.1.pdf
• Appendix6.pdf
• CAG_RTB_Form_04Mar2022_signed_Redacted.pdf
• Data Protection Registration_Z8959110.pdf
• OFH – Ethics_Governance_Letter of Support_Redacted.pdf
• OFH_PIS_booklet_v1.1.pdf
• Protocol v3.2 _Redacted.pdf

When McKinsey was advising on the structure of the then “new” NHS England in 2013, McKinsey was simultaneously advising other clients how to take advantage of the structure they were recommending.

This year McKinsey won a £1m contract to advise on the structure of the (2023) “new NHS England” following the takeover of NHS Digital (and Health Education England). Presumably it continues to advise other clients how best to take advantage of those new structures, and past practice suggests McKinsey will be paid more money by others to subvert the model they proposed.

McKinsey doesn’t talk about their clients, but sometimes they are forced to by courts. One such client was IMS Health, which was set up to be the “information intermediary” between doctors and the makers of oxycontin, the drug whose sales practices were partially responsible for the opioid epidemic in the US, and which still operates in the UK (under the current brand of “IQVIA”) doing much the same thing as they have done before.

Does NHS England know who McKinsey’s other clients are? Does NHS England know whether they’ll benefit from knowing McKinsey’s advice to NHS England? Does NHS England know whether McKinsey advice was written in a way which might help those other clients? 

The ongoing trade in NHS information

NHS England is both a consumer of data via their analytics, and a producer of data for themselves and others. McKinsey’s report should have recognised this conflict of interest, and potentially managed it in better than the usual way (either of McKinsey or NHS England). The functions of the data safe haven, which should be to hold data, be accountable for what data is used and how, and offer multiple environments in which it can be analysed, should be transparently separated from the functions of the analysts who consume data they need to do their work.

Realisation will creep across NHS England that the data they hold is now almost all identifiable patient data, as they have the Personal Demographics Service, identifiable copies of HES, and the ability to match across different datasets on fields which they take no steps to protect. 

Indeed, Palantir is very proud of the fact that it offers exactly that functionality to clients, and Palantir never ceases to point out that whether any functionality is used is purely a choice of their client – it’s up to NHS England and the government of the day. Of course, not everyone at NHS England is racist and incompetent, but there are informed individuals with legitimate fears that someone elsewhere in the organisation is doing something stupid with the identifiable patient data that NHS England now hold; and they’re probably right.

McKinsey and Palantir aside, there’s a different contract with our old friends at PA Consulting for implementing the recommended changes, PA Consulting being the company who agreed in contract not to upload a lot of data to google’s cloud, and then did so anyway.

NHS England is not a data literate organisation

The new NHS England is not (yet) a data literate organisation – you only need to look at the difference between NHS Digital’s board papers, full of numbers, RAG ratings and trajectories of change over time, and the NHS England’s board papers, of essays which contain the minimal numbers. The old NHS Digital showed what it really was, whereas NHS England describes what it thinks something will be, with enough people commenting on drafts that anything interesting will be taken out.

Insight into flows of data between NHS Digital and NHS England disappeared when NHS Digital got abolished. We were expecting NHS England to restore that transparency by publishing their “internal data flow records” this week; they didn’t.

If the new model goes as expected, McKinsey may advertise a case study of the leadership of Tim Ferris, epitomised by his monologue to the first post-takeover NHS England Board meeting. “Taking the paper as read”, he then talks through it, (probably correctly) knowing that even this superficial detail was below the attention of the board. The integrity of his examples is clear from his anecdote about the value of the NHS App, delegated access, and his kids’ records.

It is possible that the papers of the digital subcommittee of NHS England’s board (which takes over the oversight role that used to be managed in public by NHS Digital’s board) will have such information, but none of it will be public.

After all, the structure of the “new NHS England” data functions will be reflective of the late-but-still-forthcoming statutory guidance for data functions in NHS England, which should have been in place before the merger happened. They weren’t, and still aren’t.

Is McKinsey’s “rightsizing” recommendation to get rid of experts who know something?

Professor Mazzucato’s recent book on consultants and consultancies explains how the choices and outsourcing of key work results in a hollowing out of Government, and a brain drain that makes them ever more dependent on ever more consultants. 

The opening chapter of the McKinsey book covers how those with the most experience are let go as McKinsey helps “rightsize” organisations, and the deaths that resulted from those choices. As McKinsey give the same advice over and over again, did they do something new this time?

Large consultancies only offer solutions which involve some future role for large consultancies. Approaches like Reproducible Analytical Pipelines, which are cheaper and more effective for all kinds of analysis, get deprioritised by the consultancy world as there’s little consulting money from that approach. 

Consultants everywhere, so how long until the NHS spend around Palantir costs more than the NPfIT? The currently published £480m tender only includes NHS England’s role, and NHS England is increasingly saying that Trusts, ICSs, GPs, and others will be expected to shoulder their own burdens for interacting with the system, and the way to minimise those costs is to pay Palantir more money, because interaction between Palantir and other systems is still manual (and will be unless a Trust cedes decision making to NHS England, importing the US model with NHS England acting as the insurer and decision maker rationing care).

We started our response to the current GDS consultation with an unanswered question: “Has Gov.UK ‘One Login’ metastasized from a “better login to government” project, to a “one identity to government” project?” The answer appears to be yes.

A recent meeting held during the consultation was told that the Government intent is to actively prevent individuals from having multiple Login accounts. A person may be able to have multiple email addresses – indeed, they may already do –  but Government would attach them to a single “identity”. This regulation allows that database to be shared in bulk.

This turns Login into a weapon of the database state that HMG has previously assured many times that it was not building. Were civil society lied to? Or has Cabinet Office changed its position without bothering to tell anyone?

At a roundtable on the consultation, GDS said about the Regulation that the “first use is one login”, which suggests there will be a second use. It is unclear to what extent DWP embrace one Login for Government for UC, or HMRC’s accountant services, or MoJ’s digital courts, or … Requiring judges or accountants to use their work identity for personal purposes seems an odd thing to do without consulting MoJ/HMRC.

Identities are multi–faceted

Indeed, many of the civil servants reading this will have a “work phone” as well as their own (personal) phone, and use separate work and home email addresses (as they should).

Some users of government services are required by regulatory bodies to use work email addresses, and while the left hand of GDS could require them to route personal use through their work address, the right hand of HMRC/MoJ/etc would tell them not to.

In practice, there will be “many to many” mappings as people are complex (consider an accountant who is also a magistrate and uses their maiden name for some things), and GDS will be unable to keep the “one account” promise to departments. 

Departments will have to assume that individuals will have the ability to have multiple logins (because they do, they will do, and will continue to do so), and can manage that if they know; whether GDS also adds burdens on citizens is something they can choose to impose.

Any attempt to deny this is the database state of the most naïve form.

This database will require people to have a working email and phone number

The GDS account creation process requires both a working email address and an active phone number to login. If you are missing either of them, then no access for you – and they have to work to login each time. 

GDS originally chose to require a UK phone number for refugees fleeing Ukraine who wanted to come to Britain to receive an update by email when the rules changed (since those people by definition were not in the UK, it was blatantly unreasonable to require them to have a UK phone number, which GDS refused to accept in private, and only updated the process after questions were asked in Parliament). GDS also required a UK phone number for Afghanistan refugees seeking email updates on how to come to the UK, but that group are still excluded. The current Government simply didn’t care enough to help that group.

GDS expects everyone to have an account over time, and therefore for this to become a full population database, consisting of verified ID, plus mandatory email and mandatory mobile phone number, whose only statutory basis is this Regulation. 

Creating a big database and taking unrestricted powers to share it 

To avoid digital disengagement for identity verification, we understand Government are expecting to have an “offline” process, which will store a set of identities to avoid offline revalidation each time, and that this caching would be equivalent to the digital system, which suggests that all identity data will be retained by GDS for an unclear period of time. 

The surprise, late and incomplete disclosure of this new identity database in Government raises some additional questions about the sharing of the identity information possible under the power being consulted upon:

1. How long will “verified” identity information be held by GDS after verification?
2. How often will someone with a 10 year passport have to revalidate? Does it change for a driver’s licence?
3. For what purposes does GDS currently believe it will use the database it creates?
4. This consultation proposes allowing the entire database to be shared, in bulk, to almost anywhere in Government for any purpose; why?
5. Was anyone outside Government shown this policy before this consultation?

It appears that GDS simply made the decision for itself, with no informed input or discussion with civil society. That relevant information was withheld until after the consultation had opened reflects how recent engagement with PCAG/PIAF could be considered less than “lipservice”.

In some meetings, supposedly informed speakers have demonstrated a clear need to be reminded of the importance of the PCAG principles, and why they’re there, most notably the multiplicity principle where users with multiple identities – such as a work email address and a home email address – may use both without Government requiring them to connect the two. 

This week’s joint Blair/Hague handwaving is emblematic of a Regulation allowing Government to use and share ID databases however it wishes, without democratic restriction, oversight, or transparency, which ends badly.

Documents:

• Consultation response (submitted on 26/2) –if you have read the above text, see footnote 13.

Addendum 24/2: Some in Government apparently read our final link as suggesting that the HMG decisions on identity in and after 2023 will reflect the policies and practices of the Taliban, rather than as an illustration of the entirely foreseen consequence of HMG decisions from 2003 to 2021. This unexpected choice of affiliation may say more about the reader than the authors.

NHS England’s staff probably shouldn’t describe their “Federated Data Platform” in meetings as “The Palantir Procurement”, but they do, which is helpful as it makes understanding what they’re doing easier (why they’re doing it will be in a different post).

The tension at the core of the Palantir procurement is something like this:

If there’s a new pandemic (wave), NHSE feel they need to be ready, and so feel they need all the capabilities Palantir advertise, but that capacity must be permanently available in case Palantir’s statements about how quickly it can be set up are untrue.

They’re not entirely wrong, but those aren’t the only choices.

NHS England came under great pressure in the pandemic, and will spend any amount of money to avoid ever feeling like that again. That is true more widely – NHS England’s middle management will spend any amount of money to avoid feeling bad every so often, especially if it gets things for them, not the hospitals, GPs, and others who actually provide care every day.

£480 million for another way to build Reproducible Analytic Pipelines seems… excessive. Especially compared to all the other environments (which cost closer to £480k).

As we say in one of the twitter threads, there’s no coherent narrative in the tender to argue against, so here’s one thread on one question, and a link to more below.

What is that money being spent on?

Branding and ads? There’s no narrative in this tender, it’s a collection of things NHS England’s data team has been asked to do, with a massive cheque attached.

Despite the narrative, we can look at the purposes named in the (CPV) categories for the tender: 

• 30211300 – Computer platforms
• 72000000 – IT services: consulting, software development, Internet and support
• 48610000 – Database systems
• 72322000 – Data management services
• 48612000 – Database-management system
• 48613000 – Electronic data management (EDM)
• 72317000 – Data storage services
• 72319000 – Data supply services
• 72310000 – Data-processing services

No healthcare, no logistics, no doctors, no patients, just data processing. 

But then we look at the initial uses:

NHS England also proposes to run parts of the NHS logistics system off Palantir – NHS England is not responsible for logistics, it just wants more dashboards. Dashboards are reasonable for managers who don’t deliver anything, but the full table excludes logistics experts from bidding on a logistics system. Why?

NHS England proposes to run virtual wards out of Palantir. NHS England doesn’t currently run any wards (those are run by your hospital), but it wants all the functions as if it did? Will care go from your hospital to the national funding body that is NHS England? Will this EPR be accredited? Will NHSE be inspected by CQC?

It makes no sense at all to glue together the logistics system for vaccines with the patient records for inpatients, but that is what NHS England data team wishes to do. All of the discussion about interoperability doesn’t seem to extend to their procured hospital EPR functions connecting to their procured logistics functions.

When drawing the interoperability diagrams, why isn’t logistics in here like the EPR functions? Why have only one system other than the historical artifact of incumbency? 

There is no reason that these are in the same procurement bucket – there are many EPRs, and many logistics systems available, but how many companies offer both to the level that can match the incumbent supplier? Given the massive expense being incurred, one hopes they would at least ask for most-favoured-nation on pricing and features.

It will be difficult – when trying to cover up the proprietary terms that were papered over in some places, but missed in others. The term “PBAC” is defined as “Policy Based Access Control (PBAC) model” in one place, then also referred to as a “purpose based access Control” elsewhere, which just happens to be the Palantir  brand name for that exact functionality.

The Palantir PBAC functionality is good, but it’s only useful if it’s used, and it can only be seen as trusted, in the TRE sense of the term, if it’s transparent. This is merely an incompetent coverup. Meeting the minimal legal obligations to the public will not be enough, and is not enough if you wish public confidence in your actions..

It’s unclear whether “data cleansing” and “data enrichment” can be done via API access alone. Which means there will be copies of data made, and one of the forthcoming twitter threads will show just how much data needs to be copied (what it comes down to is: everything). How many copies of data will each tender respondent create? How will patients be told when these extra copies leak? Because sooner or later, they always do.

Palantir’s entire operating model is sucking data out of other databases into their own systems – that was a choice on their part, and continues to be a design choice on their part, and it doesn’t have to happen. Tender respondents could create their tables and do cleansing in their own tables within the data controller’s existing database systems – it would add some complexity for contractors, with the benefit to the NHS that there would be no copies created outside of existing systems.

NHS England claims it has no obligations to move forward beyond this prospectus, which seems politically untenable given all the work that has gone into it. However, whether there are enough respondents who can respond to a big unique prospectus like this is unclear. NHS England has banned the GP IT suppliers from responding – those suppliers would avoid the highest risk consequence of this tender: the need to copy much data (they already have almost all of it).

It’s not a good tender, but it’s also the best you can get when you mix up NHS England’s sociopathic micromanaging with blame culture and the fear of anything they don’t absolutely control, and say to the data team, you’re now responsible, it’ll be your fault.

So the data team went to the market, showed the mess, and asked for ideas, which are all phenomenally expensive as NHS England want the headline contact to transfer all the mess onto the successful bidder, who in the small print will shift it all back again. 

Data is not the problem. Analytics aren’t the problem. Analysts could do all the legitimate analytics they wanted in any one of the Reproducible Analytical Pipeline environments that NHS (both opensafely and NHSD’s TRE), ONS, HMRC, or others use, but in all of those existing, functional, working environments, they have to write down what it is they want to do, and then the analytics get run; the appetite for that currently seems to be zero because of the obligation and necessity of writing it down.

We hope OpenSAFELY continues to exist after the current temporary extension ends in a couple of months – the scope of that existence will show the desire for modern ways of working and trustworthy analysis environments. But no one ever got fired for buying IBM Palantir, and the momentum for budgetary excess that comes with it. 

We have a twitter thread of threads about the tender which starts here, and will probably be more specific and more up to date as things evolve. As we write more documents on the tender, we’ll talk about them in twitter threads or future blog posts, and they should also appear here:

• Implementing RAPs for less than half a billion pounds (22 January)
• Our thread of 10 twitter threads (20-27th January)

(a line that was unclear was clarified on 23rd Jan)

The Goldacre Review is a road map; it is also much more. In many ways it represents an alternative world view to that which is currently being built in ways that have failed at least three times before – not through any lack of political will or even resources, but through a failure of vision.

The choice now facing the country is whether the NHS will fully embrace and build a data infrastructure – which as the Review points out is “code and people with skills”, not beige or black boxes – that is open, collaborative and reproducible or whether, some honourable exceptions aside, it will persist with the status quo of closed, secretive and exploitative data use. 

A DHSC-commissioned Review has stated that the dissemination of pseudonymised (i.e. linked and/or linkable, individual-level) patient data is dangerous; something the Government itself acknowledged in Parliament last summer, which this Review has now confirmed.

Professor Goldacre says this is not a “new emergency” – indeed, the practice is endemic – but he is also very clear as to why alarm lights should be flashing. His Review details many of the specifics on pages 85-93.

This is a review of institutional processes, and while it recognises that critical patient-facing aspects of NHS data are damaged and/or unfit for purpose, the Review correctly notes that this is not the place to try to fix them. The NHS has to get its own data house in order before going back to the public. 

The success of a review such as this can only be measured by the things that change in the real world as a consequence. Will the research community, the institutions that claim to lead and support that community, and other institutional and corporate users of data now make the necessary changes with the levers available to them?

Open ways of working

The Review describes how open ways of working can be trustworthy and, more importantly, how they can work – but no review can mandate delivery. Nor does it dictate policy.

For example, DHSC has long attempted to “ban” “exclusive” data deals – which the Goldacre Review repeats as expected, while dancing around business models – but both miss the point. Those seeking to use NHS data rarely if ever do so on an “exclusive” basis, not least because it is in the nature of data to be non-rivalrous. What they seek is exclusive control of the insights generated from that data, which contracts entered into by NHS bodies repeatedly sign away.

An “exclusive” deal for data would in practice be harmful only in the context of a single data controller. Even were one hospital to sign up to such “exclusivity” – which as far as we know, none have – then the hospital down the road clearly would not, and should not, be constrained by that exclusivity.

Following previous messes involving, amongst others, Google DeepMind and Sensyne Health plc – none of which prevented those Trusts from cutting other deals with different companies – DHSC told Trusts not to sign ‘naive’ and ‘unsophisticated’ patient data deals and set up the “Centre for Data Expertise”, which has ever since been looking for something to do. The principles of the Goldacre Review should become the core task of that centre – since renamed the “Centre for Improving Data Collaboration” – that is, to assist and guide NHS bodies that are willing to implement open ways of working and the sharing of both code and outputs. 

Those who do not wish to modernise, whether they be NHS bodies or HDR UK, can sit on the sidelines and continue to waste public resources they have been given. The Centre, meanwhile, should help those who agree with the Review to implement it faster – including whatever DHSC and NHSEx commissions, and whatever the Service Transformation Directorate prioritises. That assistance should include supporting those who can already build better tools, not just favoured suppliers.

Just as HDIS was for the HES data, there should be similar arrangements for ICSs/ICBs and other geographies so that organisations can see the data they need to see. Some of these views will be from care providers / provider level, and some from higher level aggregators – with commissioners being able to see both the different models for their area, and the models for different interventions. 

The abolition of PHE and the move of some public health functions to the NHS should help ease historic turf wars. That this would be useful is demonstrated by the answer to the question, “Is there a public URL where anyone can see, for known defined geographic areas (councils, ICBs, etc.), the current top health issues in those areas, compared with areas nearby?”  (The closest answer to which appears to be one blogpost.)

That PHE was unable to publish NHS health measures at the level of CCGs – i.e. where the decisions were made – was not entirely its own fault, but it was never able to do so. In the more open culture of academia, we got openPrescribing for GP prescribing, but even that was limited as it wasn’t able to cover the £7.5 billion spent on hospital medicines.

Safe(r) ways of working

The Review’s call to apply different approval processes according to different data risks is far from unprecedented; ONS has been doing this for many years, for different datasets of different types. This approach has not previously been applied in the NHS, not least because of the acknowledged excessively high risk of giving out full raw datasets to anyone who wants them.

NHS Digital also operates under different constraints, in a different data culture. So while ONS is able to reject access to people it is not assured will follow the rules, NHSD is obliged to supply data to other public bodies which may make their own assurance decisions about their own suppliers, and where governance sanctions are practically non-existent.

There is also something of an obsession with “100%” health datasets, when those producing reliable national statistics know that ‘full coverage’ – such as with the census – is to all intents and purposes the same as a health dataset that has removed the records of every patient who has made a National Data Opt-Out. Indeed, even if NDOO was applied to GP data or hospital data, the remaining data would still have coverage greater than the census.

The suggestion of a ‘one stop’ approval shop is attractive to those who want to water down governance. IGARD and PAG (the BMA and RCGP’s ‘Professional Advisory Group’) have largely worked for GP data, but not entirely – in particular when NHS England “forgot” to inform them of various actions. While a group like PAG minimises the need for every GP to review centralised data extractions and access themselves, the basic principle that any data controller can ‘pull the plug’ is what keeps other parties honest – especially those whose strategic interests mean they are less than completely transparent.

TRE ‘wrappers’

The ONS ‘Five Safes’ model relies on the fact that everyone who comes into the safe setting is already within a trust boundary. Its own processes show that the NHS cannot and does not trust all of the people who would access data, and yet it has to give them data that is intrinsically unsafe. 

That NHS England trusts NHS England may be obvious; that’s not to say it is entirely wise. And NHSE’s ‘gatekeeping’ of data research post-merger will likely result in more limitations and rejections of bona fide research, given that in more than a few instances it is likely NHSE won’t like the answers…

Seeing which way the wind is blowing, meanwhile, HDR UK is shovelling money into “sprints” to discover ‘new tech’ for TREs. Its call is flawed and seems designed to to funnel money to incumbents. (That HDR UK wastes UKRI / MRC / ESRC / public funds is not our primary issue of concern. This does matter to all our research friends – but whether the 250+ who signed HDR’s open letter on research access to GP data last summer knew this was what they were signing up to is unclear. HDR did tell them… right?)

HDR UK was designed to build infrastructure. It has failed, and NHS England plans show that the NHS will be the reliable infrastructure provider for NHS data. On UKRI’s proposed budget allocation, MRC / HDR cannot currently afford to continue funding all of the hubs listed in the slide in its latest presentation. 

In reality, HDR UK has no framework to maintain infrastructure; it doesn’t know how to build infrastructure that people wish to use; and it doesn’t have any control over the data that can be used. No research programme can have lasting confidence in any research infrastructure provided by HDR or the hubs, for the simple reason that they have defined funding periods and cannot make commitments beyond those periods.

What happens to the next iteration of Farr / HDR UK is up for debate, and we have suggestions of where to start – but whatever it is must be much smaller than the 100+ people at HDR HQ, currently draining resources away from research.

While everyone tries defining “TRE” to mean what they want it to mean, a  number of likely models are emerging:

• NHS England: addicted to its COPI powers, Palantir Foundry and dashboards; it may or may not commission its quarter-billion pound ‘Federated Data Platform’ from Palantir – but even if it doesn’t, will this historically closed platform (also) be NHSE’s ‘Planning TRE’? (Noting that, if it does plump for Palantir, NHSE will have the capability to automatically produce Personalised Data Usage Reports for every administrative use of NHS patients’ data by NHSE…)

• OpenSAFELY: currently operating under COPI powers, NHSE’s data controllership and CMO sign-off; a ‘table server’, not a remote-desktop-style setting – but nonetheless a scaleable, safe way to produce non-disclosive results from specified, approved queries run on data in situ. (Could be used almost immediately to reduce burden on other stretched systems, but NHSE is refusing to make any policy decision until it has decided whether to ‘go / no go’ on Palantir.)

• NHS Digital: has a functioning TRE in which COVID and cancer research is already being done. This TRE is sustainable, its scaling up was funded in March 2022 (amount unknown), and it replicates the ONS model which has been proven to work for researchers and analysts, and whose statistical outputs inform policy and decision makers for years.

• HDR UK: acknowledges it doesn’t have a TRE, but pays to use others’ – mostly NHS Digital’s.

• DHSC / UKHSA’s ‘EDGE’ (now ‘eDAP’?): is described as “near critical national infrastructure” in its tenders, though I bet you’ve never heard of it. It’s not for direct care, so what it does clearly falls under the ‘Research and Planning’ (i.e. secondary) uses about which patients have choices.

• ONS has the Secure Research Service, which already handles mortality data; there’s SHIP eDRIS in Scotland, and SAIL in Wales; Genomics England Ltd does genomic data; and there’s a proposed National Imaging TRE for training AI models…

Delivering the future

The Goldacre Review recognises, channelling Baroness Onora O’Neill, that the key to the future of health data is trustworthiness.

The merger takeover of the statutorily independent safe haven by NHS England will place the obligations on the public body that is NHS Digital onto NHS England. Some of those obligations are related to use of particular powers, some apply to the public body itself.

DHSC has thus far refused to produce a Keeling Schedule of how Part 9 of HSCA 2012 will look in the statute books when “the Information Centre” is replaced with “NHS England” – we assume because they’ve done the same work we have, and realise how ridiculous it looks. We look forward to seeing how Ministers’ statements at the despatch box will be implemented, if indeed they are even implementable.

NHS England does its own thing because its main job is to ensure there is always someone to blame other than DH and the Secretary of State. DHSC and NHSEx’s shared vision appears limited to “abolish NHS Digital, buy Palantir”, maintaining and expanding closed, secretive and exploitative data use that is not clearly in the public interest. 

This latest ‘transformation’ is not just a technical process or platform ‘upgrade’; it’s all about trust and the relationship between a modern, data-competent, data-functional NHS and the people it exists to serve – not the system itself.

We have plenty of evidence on the way officials convince themselves their last mistake was due to factors beyond their control. How they fail to learn lessons, and gradually walk themselves (and others) around in a circle to a new justification of the same old bad decision, with exactly the same goals.

This time, we have to do better.

“No one down here but the NHS’s most unwanted?”

Twitter exhaust suggests the cohort of tech-backgrounds who came into the NHS via NHSX have discovered ‘Seeing Like A State’, and may even be beginning to understand (a little of) why NHSX could not succeed. 

Some of the more advanced thinkers may have found Zacka’s ‘When the State Meets the Street’, a tech view of service delivery and moral agency. Moral agency in practice means realising that while those working on AI in NHSX may themselves be well meaning, the DHSC AI lab will always do things that are important to DHSC; that service design at NHS England will always prioritise things that are important to NHS England – and that patients and the NHS frontline lose in both scenarios.

The first Goldacre Review says the data risks are not a “new emergency”, but anyone who reads it will understand why alarm lights should already be flashing. It is likely that ‘Goldacre2’ will have to pick up the pieces where this Review went undelivered, and where the unevidenced assertion of a lack of urgency may have turned out to be overly optimistic.

The success (or not) of Goldacre1 will be measured in the Terms of Reference for Goldacre2.

No-one goes to work in the morning to be transformed; those who go to work to help people especially not. Matt Hancock appeared to understand this when he came up with the idea of an NHSX ‘with vision’, in ways that NHS England clearly didn’t when setting up the (National Health) Service Transformation Directorate – which in many ways is still Hancock’s Service Transformation Directorate, albeit without as much interest from political leadership. 

No longer named like the popular TV show from Matt Hancock’s youth, the STD risks replicating Mulder’s opening line from the X-Files. Goldacre1 could actually make it useful. It’s a vision thing.

Coverage of flying saucers and Nessie largely went away once we got good camera phones; data headlines should go away when the NHS gets open methods and reproducible analytics, all running in TREs. Any dashboard needed at any level of the system can be run that way.

The NHS is currently making a choice – or, more accurately, appears to be trying to rationalise choices it has already made – between investing in genuinely open, collaborative and reproducible data for planning and research, as laid out by the Goldacre Review, or persisting and spreading the status quo of closed, secretive and exploitative data use that is so toxic to trust.

Which is not what anyone wants.

Enc docs:

• Anecdata on Digital disengagement 
• Centre for Data Expertise getting unstuck
• DARS, RAPs and TREs [forthcoming]
• GP Payments
• The ONS data analogies
• What should replace HDRUK for the next funding round?
• Sovereign Health Funds

Each December we look at the year’s progress towards telling patients how data about them is used (from 2014 … 2020).

Good TREs Work, and good Trusted Research Environments are working. The remaining hold-outs are those whose ideology requires data to be copied in the shadows, avoiding both transparency and accountability.

All dissemination of linked patient-level data is unsafe, but some is self-evidently more dangerous than others – such as organisations receiving the same data for the same people for the same month, one set with opt-outs applied and one without opt-outs applied. We have ‘red flagged’ such organisations on TheySoldItAnyway.com, and they should be required to use the TRE for all future projects that need data each month.

Data recipients like these pose an unjustifiably high, systemic risk – especially when it has been shown that Good TREs Work.

2021, and what’s next? 

GP Data for Planning and Research (GPDPR) collection is paused until NHS Digital’s TRE is working for all GP data, which it is not yet in a position to deliver. While Good TREs Work, NHS Digital has not yet delivered a TRE which is as good for everyone as the Secretary of State has committed them to doing – and as NHS England is actively undermining it from doing.

GP data cannot be collected until access is TRE-only, and there’s still quite some way to go on that. We would include details of how long that is likely to be, but NHS Digital does not publish the data that would allow that figure to be worked out.

The Goldacre Review should have been out by now – it is still due ‘soon’ – and in data terms it is expected to be largely uncontroversial. The handling practices of both GP and Hospital data have been dangerous for decades, but they can and must be reformed.

Hopefully NHSX, NHSD and NHSE will finally recognise that danger, and what the 2021 ICO Code of Practice on Data Sharing, (UK) GDPR and the 2018 Data Protection Act all say – that dissemination of highly detailed, sensitive personal data on the entire population of England can result in re-identification, including through the event dates that are entirely unprotected in the datasets. Continued denial of this danger will result in NHS patients being identified, as happened in Australia. 

For 2022, we have updated the data usage report mock-up we first drafted in 2014. 

The most noticeable changes in the report are the organisational names and logos, but the principles of consensual, safe, and transparent data handling remain. All data handling by NHS bodies could be transparent, and the data uses register format NHS Digital moved to in 2021 is an improvement – but bodies like NHS England, for example, still choose not to say how its COVID-19 Data Store was helpful in the pandemic.

With only twenty projects admitted to by NHSE, the panoply of missteps that occurred in the pandemic seems less surprising – if no less shocking – and there’s no published evidence of any value in Palantir Foundry at all. (We go into more detail on this in the available next steps to Data Usage Reports (2021).)

AI and data governance

As AI moves out of DHSC and the civil service into the “real” NHS, it will have to justify the budget and resources it has been given. Though there is a point in time in the history of everything that works when it didn’t work, there is never a point at which those things that don’t work did, no matter how much money was spent.

The AI strategy will re-emerge at some point, and NHS England will get to reconsider it. Our straightforward advice is this: one third the length, one third the budget, and three times the vision. Under NHSX, things have gone in the opposite direction…

DHSC and corporate interests are not the same as doctor’s interests or patient interests. Not even close. Recognising the AI advisory and former No10 Chief of Staff’s view of international agreements – that subterfuge and double-dealing are legitimate between parties – every supplier to the NHS should be required to provide a “datasheet for datasets” for every dataset it was trained on (and to check all the IG) so as to stop ‘data shortcuts’ being profitable.

Public and professional unease around both genomic data and AI is not limited to data governance. That Genomics England handles data safely does not eliminate concerns around how it may be used, e.g. for newborn baby screening. Just because something can be done with data, and can even be done safely, does not mean that it should be done at all.

COPI renewal – choosing a better timing cycle

COPI remains in force, and it is unlikely that DHSC will be able to make a good decision on renewal in any February or August. The March and September dates are simply a legacy of when the pandemic started and a 6-month renewal. This being the case, if HMG believes the pandemic really is ending, the next COPI extension should be for just three months – which would also put things onto a more reasonable cycle of making decisions before and after winter, not in the middle of it, should another variant emerge. 

Will they ever learn?

In the context of the Government’s “new direction” on data that will make it harder for people to understand what is being done with their data, and easier for companies and authorities to use it beyond people’s expectations, NHS England’s hostile takeover of NHS Digital means all of these risks and responsibilities will become theirs.

The public may have been generally confused by who and what NHS Digital is – a symptom of what the Wade-Gery Review referred to as ‘split responsibilities’ and a ‘fragmented’ landscape – but everyone can understand that the institution Directed by Government that is NHS England is neither your doctor’s friend, nor yours.

In 2014, NHS England blamed the Health and Social Care Information Centre for its own care.data debacle, requiring HSCIC to cede more control, have an NHS England Board chair, and an organisational rename to NHS Digital – which is precisely who NHS England and NHSX (i.e. NHSE + DHSC) now blame for the collapse of GPDPR in the summer of 2021, a programme over which they had final say. Clearly no-one learned the lesson the architect of care.data was forced to, seven years ago: “We do not subscribe to artificial deadlines here – we will roll it out nationally only when we are sure the process is right.”

DHSC’s commitment to TRE-only can be delivered, and NHS Digital has started to deliver it – with 125+ organisations using some form of NHS Digital “system access”, according to its release register.

Trust requires transparency

The risks and issues around Hospital data and those of GP data are by and large the same. And in medConfidential’s dealings with NHS Digital / HSCIC over the past decade it has always been clear that hoped-for improvement was not just possible but eminently feasible. Yet, despite this, progress towards a TRE for all secondary uses of patients’ data and personalised data usage reports for each patient has been minimal, at best in only minor increments. 

Lack of progress has in large part been due to DHSC disinterest, lack of adequate resourcing, and the outright intransigence and active kneecapping of positive intentions by NHS England. The evasions and lack of transparency around NHS England’s COVID-19 Data Store only highlights its culture of secrecy and contempt, suggesting a new corporate attitude and approach will be absolutely essential should NHS England come to govern all patient data in the English NHS. 

NHS England’s fear of transparency and accountability are not necessarily irrational, however. Senior officials know what they and their NHS England colleagues already do with data, and clearly believe it would not stand up to public scrutiny – issues that Baroness Harding will know from experience have very real consequences. Is it really true that during the entire pandemic, with the unprecedented amount of health data it hoovered up under extraordinary powers, only 20 projects used the tens of millions of NHS patients’ data in NHS England’s COVID-19 Data Store? 

If it persists in the absence of good governance that characterises its handling of our data, and with its favoured scapegoat no longer available to blame, NHS England may in the next act be exposed as the true cause for data despair.

---

Enc:

ONS analogies with NHS Digital datasets

Data Usage Report (2021) example

Available next steps for Data Usage Reporting (2021)

When DHSC specified the NHS App’s features, it was was a near-certainty that GDS would (eventually) copy the game plan: a cross-GOV.UK app – a webview onto existing GOV.UK information and services – being almost inevitable due to the machinations, and lack thereof, by Whitehall Departments.

Unsurprisingly, in the closing weeks of a spending review, with new digital management, and after a crisis in which such an app probably wouldn’t have made much difference, but in a world where HMG wants to own vaccine certificates, and NHSX(etc) very much wishes not to, the GOV.UK ‘black’ app was announced.

The approach being taken will in all likelihood dissolve the ‘hard boundary’ between the NHS and government – but, of course, do nothing to actually help social care where that boundary is already blurry…

A GOV.UK app won’t provide anything an online GOV.UK service doesn’t do already – or will do, by the time you are ‘nudged’ to use it – but it will give the Cabinet Office new and greater powers over other Departmental services. And with these new powers will come (some) new responsibilities, such as for the hostile decisions Departments make in their own narrow interests (which our work elsewhere has found widely: e.g. 1A, 2A, 4D, 4E, 5E, 5J, 5L).

On the one hand, GDS’s excuse of “It’s not our service” will cease to be sustainable; on the other, the “One Login” for the (whole of) GOV.UK will give it a stick with which to rein in the worst of the Home Office / DWP digital divide…

Will the dark arts permeate the Black App? And since the answer is yes, where?

Cross-service tracking and analytics

The introduction of cross-service tracking and web analytics will allow unprecedented monitoring and investigation of causality and consequences, such as:

• Does being sanctioned cause you to look up food banks?
• How many people do that in the app each week?

Even if it chooses not to publish the statistics – as it really should for public services, paid for by public money, serving members of the public – civil society will be able to FOI official Government analytics to show how harmful a policy is, down to specific constituency level…

Also, when one service accessed via the Black App asks about a vulnerability, and when there is a ‘single view of Government’ via the app, will the legal position be that “all” of Government should then know about it?

• Will DVLA be permitted to maintain institutional ignorance?
• Will DWP?
• What about where one Department accepts a UK resident is a victim of modern slavery, but another Department on the next screen refuses to believe it?
• What about Settled Status? 

Where will the balance of benefits between the citizen and state lie?

As Richard Pope highlighted in his investigation of the systems of Universal Credit, “are the advantages of digitisation being shared fairly”, or will Government’s focus on automation once again prioritise its own ‘efficiencies’ over those of the public – offering no substantive benefit to citizens beyond “Look, it’s an app!”.

User-hostile design choices

Typical of the world view of many we deal with, Home Office front line officers have demanded to see the e-mail that the Home Office itself sends out about Settled Status as “proof” of people’s Settled Status. Yet that e-mail clearly states that it and the letter attached to it are not proof of status.

We revisited the Settled Status scheme, where refusal to provide offline alternatives to a ‘digital first’ service is causing widespread difficulties, distress and discrimination – which could be avoided by something as simple as recognising paper credentials, which is the way Home Office officials appear to be treating the letter from Home Office in any case. Initiatives such as the ‘COVID Pass’ in the NHS App have demonstrated it is entirely feasible to provide a signed credential for people to hold on their phone at high volume events.

Of course, such user-hostile choices are not just made by the Home Office but across Government.

Those who encounter the greatest burden in one place will face it in many (Annex 2 and 2A). At some point, someone will have justified adding each one of the different procedural burdens that we list in Annex 5; sometimes those justifications may even have made sense. But some of those justifications will have included a Departmental assumption that it is the role and function of citizens and service users to satisfy the whims of the Department…

That those who encounter the greatest burden in one place face it in many is one reason we focused on parents of newborns in Annex 7: “Baby then bureaucracy – the paperwork of new parenthood”, where one would think (or at least hope!) that the policy intent would be closer to, “We’re keen to help, we just need to check a few things first”.

The choice of permissions for Geolocation

While many are accustomed to using them in their daily lives, apps introduce scope for unprecedented levels of surveillance. One of the things a permanently-installed app on your phone can do that a web page cannot do is permanent geolocation. While it’s impossible for a web page to track your location (‘with permission’, of course) when it is not open; an app can do so. 

Our work on UC shows DWP will use any form of algorithmic cruelty it can find. Requiring UC claimants to submit to permanent geolocation is exactly the type of thing DWP would demand, and keep demanding, until it got permission. Could the Central Digital and Data Office and GDS, as a split leadership, reject those demands? (Noting the Home Office will probably find a reason to access geolocation too…)

In response to COVID-19, DWP figured out that the easiest option for DWP is to treat claimants like hostage takers and demand ‘proof-of-life’, with selfies holding up newspapers. 

As an aside, when the postcode centroid algorithm (and the errors therein) is compared with the GPS location (and the errors therein), who will suffer? UC would rather punish claimants than admit systemic failings.

For these and many other reasons, prior to launch, GDS must therefore explicitly ban any geolocation that isn’t on an “allow once while using the app” basis – and for platforms without that as an option, GDS must design and implement a best-quality user journey which takes the user via their system web-browser to perform a one-time location and then return them and the single-use coordinates to the app. 

Departments may be even less accountable for user hostile decisions than facebook or youtube, as the view of the Government’s internal ‘Fraud Profession’ is that citizen requests are frauds until proven otherwise, beyond doubt – and that the civil service never makes an error, until proven otherwise beyond a reasonable doubt. (And for the latter, such investigations rarely take place.)

The use of devices and device services to exploit users by underhand means in pursuit of power and profit has been led by Facebook. Unfortunately, unless abusive techniques are explicitly forbidden, Home Office and DWP acolytes will most likely see the ‘ingenuity’ of Facebook’s engineers as a playbook, and a feature list – not a recognition of the moral decrepitude of their monster factories.

Civil Service silos 

That DWP is forced to accept a GOV.UK Account for Single Sign On via the Black App means it will also have to accept it via the main UC website – both because the app is at its core just a view onto a web page, and because it would be untenable to force people to only ever use the app if they first used the app.

As soon as the Black App is launched, absent formal monitoring and enforcement otherwise, any Department will be able to exploit the full range of sensors in any device on which it is installed. The delegated nature of services means the Home Office, DWP, et al. do not and will not need to ask for central permission; what the web view does will be entirely within their control, especially on Android where protections are weaker. 

Meeting whose needs?

An app satisfies the CDO / CDDO / CDIO / CDEI / EIEIO / etc. need for the perception of institutional simplicity. Commentary on Twitter suggests at least some civil servants have read ‘Seeing Like a State’, which illustrates and explains how Governments do things because they make Government’s job easier, rather than necessarily helping the people they claim to serve.

In this context, Zacka’s ‘When the State meets the Street’ should also be required reading, as the business GDS is getting into with the Black App is front line service delivery for all of Government, at a level far deeper than just “meet user needs*”. 

In terms of needs, both individual and institutional, and given so much time in public services is taken up by complex cases – those with past traumas causing current difficulties – what would a trauma-informed interface look like?

It’s unlikely to appear in the Black App, but it could well do somewhere else…

---

---

For more detail and background, see our core report, ‘Decoding the Algorithm and Data Choices in DWP’s Monster Factory’ and complete list of Annexes – of which these are most relevant:

• Annex 2: Risk Based Verification (RBV) – how RBV is used both by local authorities and across DWP, and how to examine its use (and misuse) in practice. Also how it is outsourced.

• Annex 2A: ‘Identity Verification in UC for the most complex claims’

• Annex 3: Responding to Fraud and Error as a Government Profession and in Practice– Government has created a ‘profession’ out of fraud hunting; we examine the practical effects of the culture and practices of this ‘profession’ across DWP and more widely.

• Annex 5: Burdens upon Burdens: (December 2021)
  • Annex 5A: DWP and health (April 2021)
  • Annex 5B: DWP’s UC release schedule (March 2021)
  • Annex 5C: DWP’s planning timescale (March 2021)
  • Annex 5D: Digital failure – Home Office (April 2021)
  • Annex 5E: HMRC’s CH2 form (June 2021)
  • Annex 5F: Complaint numbers and tribunal losses (August 2021)
  • Annex 5G: Access to Forms (August 2021)
  • Annex 5H: Carers Allowance and Attendance Allowance (December 2021)
  • Annex 5J: Settled Status Revisited (December 2021)
  • Annex 5K: Changes to the UC Taper Rate (December 2021)
  • Annex 5L: NCC1 form (December 2021)
  • Annex 5P: A/B testing has legal obligations that are not being met (March 2021)
  • Annex 5Q: A/B test example – two factor authentication for claimants (March 2021)

• Annex 7: Baby then Bureaucracy – the paperwork of new parenthood
  • Annex 7A: Mothers and Gov.UK accounts

Any requirement for an in-country COVID passport after a declaration of “freedom” will be an admission of domestic policy failure by the Government; the greater the requirement for COVID passport mandates, the bigger the failure of Government to manage the pandemic well.

If do you need a domestic COVID passport, we recommend the paper documents made available, but you also have to black out unnecessary information (see below):

• Once you have been vaccinated in England, we suggest you use this English online form to get your paper certificate. It should arrive within 5 working days. If you prefer, you can ask for a letter by calling 119.
• In Scotland you can request a copy of your letter online for Scotland here, or you can get a copy of your vaccine status letter by phoning the COVID-19 Status Helpline on 0808 196 8565. NHS Scotland says you should allow at least 14 days for your vaccination status letter to arrive.
• The only Wales online option requires you to have an NHS Login, or you can request a paper NHS COVID certificate by calling 0300 303 5667 – though it can take up to 10 working days for your certificate to arrive.
• To get a certificate for Northern Ireland online (which may take 3 days to process) you must have an nidirect account. Or you can request a paper COVID certificate by telephone on 0300 200 7814, though it will take up to 10 working days to arrive. 

The COVID passport apps in each nation are different; they work differently, and require you to prove your identity in different ways. The paper certificates tend to be valid for a longer time than the app versions, and don’t require you to show your logged-in phone to strangers.

Unfortunately the paper versions being sent out currently include information like your address and date of birth – so if you must use one for domestic purposes, make sure you block out any other personal information on it, leaving only your name and the QR code.

In our responses to Michael Gove’s original consultation on ‘Vaccine Passports’, and to the recent call for evidence on ‘Plan B’ in England, medConfidential pointed out many of the risks of app-based COVID passes. As the schemes roll out, we and others are picking up on additional problems – like people whose medical records are already flagged as sensitive not being able to get a pass.

And, as the introduction of the Scottish ‘COVID Status’ app has already demonstrated, the use of international COVID certificates for domestic purposes is unsafe, unwise and potentially unlawful; the QR codes designed for use at borders can ‘leak’ unnecessary personal information when checked at domestic venues.

medConfidential’s GP data grab Situation Reports are a series of updates sent to stakeholders; this one is public.

The long delay was inevitable

The announcement of the short delay in June to 1st September was largely due to NHSx and DHSC thinking they understood their mistakes; as the GPDPR Data Provision Notice has now been withdrawn, and any new DPN will have process to go through, GP data collection can now begin no earlier than the 2nd September.

The next announcement, of a longer delay, will mark the inevitable realisation of the magnitude of these past mistakes – a delay already referred to by the former Secretary of State in his last speech at the despatch box, where he said:

It will take some time to move over to the new system, hence I have delayed its introduction, but we have also made that delay to ensure that more people can hear about it.

Both the Secretary of State and David Davis MP also entirely agreed in that debate on the risks of dissemination. It is therefore clear that the (very welcome) commitments on the use of Trusted Research Environments must apply to hospital data, e.g. HES, as well as GP data.

This realisation may yet come slowly. On HES, it may take a legal opinion quoting the Secretary of State’s speech, next to the ICO’s guidance on UK GDPR and DPA 2018, next to current DHSC policy that requires NHS Digital to disseminate the sensitive, identifiable personal data of every hospital patient in England – even if they have dissented – thousands of times a month. 

We understand it will be difficult to decide today, that from tomorrow HES is identifiable special category personal data, when the data was disseminated yesterday (and for years before).

The best time to have complied with the UK’s 2018 Data Protection Act was in May 2018; the second best time is now.

Sequencing of Events

While the delay was announced so the Trusted Research Environment (TRE) could be built to the satisfaction of research, there is now time to do everything in the right order. Hopefully.

NHSx may have gotten to choose the starting point but, as the Health and Care Bill demonstrates, it missed the boat. The headline focus of the Bill, Clause 1, formally re-names NHS England, but nowhere in the Bill does NHS Digital get a re-name. Perhaps DHSC expects to use its new powers to abolish NHS Digital – thereby abolishing the statutory safe haven? That is untenable.

There is, however, still time for the proposed legislation to be amended to resolve some critical data trust issues. The Bill should, for example, have a hook to put the National Data Opt-out onto a statutory footing – so patients can know and have confidence in what the rules are, so the profession all know what the rules are, and so the various national bodies know what the rules are – and so that everyone knows how those rules can be changed (in either direction) in future.

As the use of GP data evolves, there should be discussion as to whether the National Data Opt-out (NDOO) should apply to data leaving GP systems and going to NHS Digital, or not. If the conclusion is that it will not, then the Type 1 GP data opt-out must live on. If the NDOO were to be clarified in legislation to have the same effect as the current GP opt-outs, then Type 1s could effectively be deprecated for all but the most critical concerns – for a statutory opt-out is much better than a non-statutory one.

Hospital data

All of the examples given in David Davis MP’s adjournment debate were to do with hospital data, and the Secretary of State agreed on the risks of disseminating patients’ identifiable GP data, explicitly stating his intent that “The dangers that come with the dissemination of pseudonymised data are removed.”

So why is NHS hospital data not also being made ‘TRE-only’ from summer 2021 onwards? 

If NHS Digital and NHSEx wish to demonstrate to the GP profession (and to patients and the public at large) that the TRE-only approach will work, the most straightforward way to do so would be to show it working for the hospital data NHS Digital already collects – with a variety of researchers and, say, NHS England’s ‘Data Services for Commissioners’ Regional Offices (DSCROs) demonstrating good use of it. 

Such a transition should also make the DSCROs and other ‘DHSC / NHS family’ users far happier, as they will be getting both a much better data analysis environment for their ongoing work, while increasing safety as well. 

As the Health and Care Bill puts obligations on Integrated Care Systems to ‘use more data’, such patient-level data usage should also all be in formally NHS-accredited Trusted Research Environments – initially NHS Digital’s, also ONS’s or Genomics England’s. (‘Five Safes’ TREs are entirely achievable, but some will claim they meet the standard when they do not. Hence the need for formal, likely mutual, accreditation; trust in all being dependent on the weakest link in the chain.)

Communications

The need to communicate directly to the entire public actually makes other problems easier to resolve; with the data opt-out definitions written down in legislation, what is left for debate (as was the case in 2014) is exactly what text will fit on two sides of A4 – the text for the opt-out / opt-back-in form being derived from the legislation itself. 

This process could start with the last consensus draft of the care.data Advisory Group letter because, as a public advocate of the programme said, GPDPR is care.data.

NHS Digital, NHSx, and the new power to amend legislation

While NHSx may choose how many (NHSx-liveried, crowd pleasing…) elephants are in the ‘tech vision’ parade, it continues to be NHS Digital that has to follow it around with a shovel. And whoever holds the shovel will forever be in tension with those who want more elephants.

Many of the persistent problems around data are the result of such tensions, not necessarily the organisation itself that is making a decision. The same criticisms of NHS Digital would apply to the cancer registry, which learnt the hard way that giving data to a “causes of cancer study” is not such a good idea when the study is run by a tobacco company.

Someone has to enforce the rules that DHSC advertises as “strict”; that is currently NHS Digital.

It is not NHS Digital that decides what data uses there could be – it responds largely to requests. Sometimes it recognises that a request is valid but that an analysis would be better done by someone else. (A “causes of cancer study” is not inherently a bad thing.) But, as a result, NHS Digital gets a reputation for saying no to people – mostly because few notice the thousands of data file releases it does make every month.

It is, and should be, the job of a statutory safe haven to have a deep understanding of what is possible, what is legal, and of the necessity of keeping promises to patients. (Keeping promises not being a recognised strength of this Government.)

Any body fulfilling the role of safe haven must be transparent about where data goes. NHSEx have been actively dishonest in that regard, and – even if that was initially a mistake – have then explicitly refused to correct the record, and have repeated the dishonesty.

Differing interests may not like individual decisions that NHS Digital takes, medConfidential included – but what must be recognised and emulated is that it tells the public what those decisions are and why they were made, and people can know what we don’t know.

With DHSC and NHSEx, however, the cronyism and corruption of the Government’s approvals processes means not only is there no picture of what we don’t know, there appears to be an explicit desire to make sure no-one knows. 

Perhaps we are being unfair on the ‘organisation’ behind the first version of the NHS COVID-19 app that barely made it to pilot stage; the group which pushed GPDPR forward against expert advice, and which vetoed suggested improvements of GPDPR before it collapsed; the outfit that misleads stakeholders on what it publishes; which simultaneously added domestic vaccine passports for users of the NHS app, and which (still) expects NHS patients to hand an unlocked smartphone to the border guards of a hostile nation,  but we believe one’s actions speak for themselves.

(Of course, the person who signed the GPDPR Direction got promoted shortly thereafter. When NHSx is abolished, NHSx policy functions should really revert to DHSC – not because any particular incumbent has any particular talents, more because officials always move on.)

If NHSx – or any actual NHS bodies, for that matter – wish to be seen as trusted, they must show themselves to be trustworthy. Downgrading the statutory safe haven and/or transferring its statutory powers without reference to Parliament is unlikely to help in this regard.

New Secretary of State and Life Sciences 

To push our earlier analogy, some of Sajid Javid’s team will be retracing the path of Matt Hancock’s elephant – with a shovel to clean up those emissions that still litter the building.

And those whose ‘Vision’ is less rose-tinted will recognise the “alignment” claimed in the restated Life Sciences strategy was prompted more by the overwhelming necessity of combating a common enemy than any real change in institutional politics or public attitudes. It is notable also that the stakeholders on whose data the Vision depends, the public, get short shrift in a document whose focus is to “deepen collaboration and trust between Government, the NHS, and the [Life Sciences] Sector”.

Aspirational statements for “the full support of patients, the public and NHS, and must build trust into [the Vision’s] delivery” are hard to square with the far more clearly-defined intent that: “governance and oversight of NHS health data must be simplified to drive research and innovation”.

We welcome the commitment to consensual, safe, and transparent data infrastructure for a 21st century health and care system; as we have been saying for years, a modern TRE for research and all other secondary uses is inevitable. The best time to have started was in 2013; the second best time is now.

Available next steps:

• Available next steps to safely make GP data available for research and planning 
• Opt out review note (June) and available next steps on opt outs (July)
• Briefing on the Health and Care Bill