In order to register dissent for your children’s medical records to be used for purposes beyond their direct care (and why):

1) Protect your GP data: fill in and give this ‘Type 1’ form to your GP practice [PDF] [or MS Word version] – this form allows you to include details for your children and dependants as well. This is the most important step; the Type 1 opt-out is the only opt-out that will stop NHS Digital extracting your GP data.

2)  If you want to stop your non-GP data, such as hospital or clinic treatments, being used/sold for purposes other than your direct care (e.g. for “research and planning“) you must use this process: 

• • If you have children under 13, you need to fill in this form [PDF] and e-mail or post it back to NHS Digital – this form works for both you and your children.

• • If it’s just for yourself, use NHS Digital’s online ‘National Data Opt-out’ process – this only works for individuals aged 13 and over.

• • If you have an adult dependant for whom you have legal responsibility, you must use this form [PDF] and send it back to NHS Digital on their behalf

If you don’t have a printer

If you don’t have a printer, and can’t fill in the electronic forms above, you can e-mail children@medConfidential.org with your postal address and how many people you need forms for, and we will post you copies of the GP paper forms, for free, no questions asked (also tell us if you have children under 13, or the online hospital data service hasn’t worked for you, and so you need the hospital data form as well).

We will, of course, only use your details to send you the forms you want and we will delete them as soon as we have done that. (medConfidential is registered with the ICO to process personal data in this way.) If you can afford to make a small donation to support us in offering this service to others, we have a donation page where others have donated so we can send the forms to you for free.

---

Why does DHSC put you (and other families) through all this hassle?

The pandemic changed many things, but until 23 April 2021 and for much of the last year, the forms to express dissent for your children and other dependents were missing from the NHS Digital website. Instead, for up to a year it said:

The explicit decision back in 2018 that there would not be a digital route for families with children came back to bite those who had to implement it.

Postal processing being temporarily unavailable might be considered understandable at the height of a pandemic, though it was clearly someone’s decision to remove the links from the website to prevent new processing.

This may not have been a concern in and of itself, but buried in NHS Digital’s Board papers is a statement that the Direction and Data Provision Notice for “GP Data for Planning and Research” was due to be published “to enable collection to commence (March 2021)”, according to the papers for NHS Digital’s Board meeting on 31st March 2021. That the new children’s opt out form did not appear until three weeks later suggests the discriminatory and inappropriate approach to dissent continues. 

Before 2016, when the dissent process had been considered primarily from a patient’s perspective, the way to opt out was to give one piece of paper to your GP, which covered your entire family – and then the NHS would deal with any complexity. It did, and it worked. Over 1.2 million people used that process, which was possibly more than some would like…

In 2018, NHS England and the Department of Health and Social Care made a series of choices about how the National Data Opt-out Process (NDOP) would work; the effect of each of those decisions made it harder for someone to express their wishes: 

• By cherry-picking who was invited to meetings, and on a narrow reading of the Data Protection Act 2018, one of those choices was that if you are over 13, you must do it yourself online. (The people to whom NHS England chose to listen at that point were those who believed your GP shouldn’t be an interface between you and ‘the NHS’.) 

• Another such choice was that the databases used to validate that you are who you say you are online were not to be used to check if you had children who lived at home and who were registered with the same GP.

• In fact, the decision was then made that there would be no digital process for children at all – parents’ and carers’ choices for any of their dependents would have to be done via a form sent in the post. First that form had 8 pages, then 7, now 4, and (finally!) the option to send forms by e-mail, after feedback about the punitive nature of the process.

As a result of all this complexity, the GP opt out form – which, prior to 2018, used to work for your entire family for all NHS records – still works for your entire family, but only for your GP records. And since NHS England and DHSC chose to create another process, you now have to do that too!

The process doesn’t have to be this complicated. Most families have children registered with the same GP as the parent, living in the same house, so the NHS identity checks for adults should cover their dependent children. There will always be exceptions, families with more complex situations – the current PM’s for example – which is why a paper form is a necessary backstop. But having no web process at all starts to look more like a procedural punishment for families.

The Secretary of State or NHS England could have said that the process for dependent children (and other dependents) should be the same as for adults. Instead they shifted the bureaucratic burden from the NHS onto patients and families, in the hope you would care less about your GP data than their cronies who wish to buy it.

To register dissent for your children’s medical records to be used for purposes beyond their direct care (and why):

1) For your and your dependants’ GP data, give this ‘Type 1‘ form to your GP.

2) For your children’s and your own hospital and other non-GP data, fill in and e-mail or post this ‘National Data Opt-out’ form to NHS Digital.

3) Not forgetting that for your own hospital and other non-GP data, individuals aged 13 or over can also opt out (or opt back in) online.

One thing the NHS bureaucracy likes more than anything is having the same acronym to mean two different but similar things. In addition to Summary Care Records (SCR, SuCR?), which have existed since 2007, NHSEx now adds ‘Shared Care Records’ from 2021.

As explained to the Public Accounts Committee on 17 September 2020 by Matthew Gould, CEO of NHSX, Shared Care Records (SCR, ShCR?) should:

“…allow patient data to flow safely and appropriately between different care providers, not just in health but also in social care.”  – Question 46

It is not that NHS England / NHSx have access to data today that is necessarily the problem; it is what they will do with it tomorrow – and whether they will keep their promises (cf. Test & Trace DPIA, transparency court case, ‘contracts for cronies’, etc. , etc.) 

What is needed for Shared Care Records to work?

Patients’ and service users’ data flowing along their care pathway for the purpose of their direct care is a worthy and worthwhile goal, and one that medConfidential has supported since its inception.

If Shared Care Records are to be successful in practice, and not repeat the dead-ends of LHCRs, that success requires they must do an number of things:

1)  The Shared Care Record is claimed to be for direct care only, and a good Shared Care Record will indeed be for direct care. A bad Shared Care Record will be used for lots of other things that it does not tell you about. NHS direct care services are too often seen as a ‘Christmas tree’ off which to hang things; ShCR cannot be a means by which sensitive health records leak out of the NHS via a back door.

• What happens across the boundaries between administrative areas (ICS, ShCR, or other)? Do ShCRs facilitate care for those who live in one area but, e.g. visit A&E in another?

• Do (creepy single) doctors get to look up the records of women they’ve met on dates – or anyone in the country – without disclosure or recourse? Are meaningful measures in place for those who are affected to know that their records were accessed?

2)  Shared Care Records’ existence and purpose(s) must be properly communicated to the public, before they are used, (unlike LHCRs) which means:

• Clearly and publicly stating what they will and won’t do, and explaining the rights and choices people have;

• Writing to all those who will have ShCRs created – including service users – not forgetting or otherwise disadvantaging families with children, and not just to those who may have previously opted out of LHCR sharing and/or SuCR.

3)  Ensure Shared Care Records can be seen as trustworthy, on an ongoing basis. From the point they are introduced, a record of every access of a ShCR must be made available to the patient or service user via their new NHS Login, cf. Data Usage Reports.

• If a provider is capable of connecting to a person’s Shared Care Record, it must also be capable of recognising and respecting that person’s confidentiality and consent choices; if it cannot do both, it must not be permitted to do either. 

• There is no excuse to ‘retrofit’ later; GDPR requires that all data processing is lawful, fair and transparent – and the data flowing through Shared Care records is, by definition, identifiable individual-level special category personal data.

• Confidentiality and consent choices should be managed centrally, ensuring that system-wide rules and IG are applied consistently and effectively. If local areas / ICSs manage their own dissent processes and someone moves to another area, will they have to dissent again? How will anyone know?

4)  To the extent that any data contained within Shared Care Records is extracted, copied or otherwise processed (e.g. ‘anonymised’) for any secondary uses, this must be done either within the statutory Safe Haven (i.e. NHS Digital) or under its Information Governance processes, which confer (joint) data controllership. Anything less than this would be a retrograde step and, as the failings of consent and governance processes around individual LHCRs have demonstrated, will compromise public trust.

• Notably for social care data, the regulator (i.e. CQC) cannot also be the Safe Haven: the incentives would be completely perverse. We understand a reluctance to put a body named ‘NHS Digital’ in charge of (adult) social care data, and share concerns about the ‘medicalisation’ of social care. That challenge is, however, an improvement DHSC and the NHS have to learn if health and social care are ever to be properly integrated.

If Shared Care Records cannot meet these conditions then they will be unfit for purpose, and will have been commissioned badly at huge cost to the taxpayer and to the reputation of the NHS.

LHCRs largely failed; will the lessons be learned?

From NHS Data Day, October 2019

Commercial re-use of data

If there are to be secondary uses of data within the Shared Care Record, then plainly the National Data Opt-out must be made statutory, it must work properly for everyone (including families), and must be made readily available to all before any secondary uses go live.

• The deadline for system-wide implementation of NDOP has been extended repeatedly from the original compliance deadline of 31 March 2020, to 31 September 2021;

• Meanwhile, LHCRs and CCGs have struggled to interpret and in some cases properly apply correct and appropriate Information Governance for NDOP – a situation that cannot be permitted to continue beyond the pandemic.

Even if there were to be zero secondary uses of data flowing through the Shared Care Record (ShCR), there would still be the issue of Summary Care Record (SuCR) opt-outs. For if someone has objected to just a summary of their record being shared, how can it be assumed that they will accept the wider sharing of their ‘whole’ care record?

Where there is legislation, therefore, both the National Data Opt-out (NDOP) and a ShCR opt-out must be made statutory; and these must be made readily available to all, and must be respected by all across the whole health and social care system.

“Selling the benefits” is no longer enough if you are also selling the records.

Details documents

• Data flows of COVID-19
• Post-COVID Landscape
• Available next steps for a trial of a Post-COVID Summary Care Record
• Why a single cloud EPR cannot work
• What’s not in the The NHS Whitepaper, plus:
  • Specific note on the Direction powers in the white paper
  • Specific note on Available uses of the Testing infrastructures

As all of the future emerges, the graphics below from various NHS presentations show the thinking that went into them, and the direction of travel:

‘Shared Care Records’ for secondary use?

Data for direct care doesn’t stay for direct care. A series of slides over years show the embedded view of NHS bodies which all want data to flow beyond direct care to commercial companies, and for planning, policy and commissioning decisions.

• It all begins with a lifelong (“longitudinal”) record and “maximising the use of data”:

from: https://digital.nhs.uk/blog/transformation-blog/2019/so-what-is-a-local-health-and-care-record-anyway

• For the purposes of policy-making, planning, commissioning and near ‘real-time’ surveillance of individual-level patient data, explicitly intended long before COVID:

From: https://hscic.kahootz.com/connect.ti/PubNHSDDTSF/view?objectId=10508916 

• Of course, there is also research and commercial exploitation; discussed well before COVID…

From NHS Data Day, October 2019

• …and during the pandemic as well; here’s the Minister discussing legislation to align with Big Pharma interests:

From Baroness Blackwood’s roundtables with Pharma, June-July 2020

ALL of these interests (and many more, e.g. Big Tech, Big DNA…) will seek the data once it has been created.

Details documents

• Data flows of COVID-19
• Post-COVID Landscape
• Available next steps for a trial of a Post-COVID Summary Care Record
• Why a single cloud EPR cannot work
• What’s not in the The NHS Whitepaper, plus:
  • Specific note on the Direction powers in the white paper
  • Specific note on Available uses of the Testing infrastructures

[The 2020 update to our ongoing series on data usage reports (2014… 2021)]

The need for and consequences of data usage reporting is something medConfidential has worked through for a long time.

You have the right to know how data about you is used, but what does that look like in practice? We’ve mocked up a data usage report for the NHS, and the equivalent for Government – but what about the analyses that are run on any data? What should responsible data analysts be able to say (and prove) about the analyses they have run?

The new, eighth Caldicott Principle is “Inform patients and service users about how their confidential information is used”. In future work we will look at how this goes beyond existing legal requirements under the 2018 Data Protection Act, what Data Usage Reports (or Data Release Statements) should look like to the NHS in 2021, and what patients should see. For now, though, we want to take a look at the other end of the process.

Analyses, Analysts, and their readers

Public bodies (and indeed everyone) buying AI and Machine Learning products need to know what it is they are buying, and how it has been developed and tested. Ethically, they must be able to know the equivalent of “This was not tested on animals”, i.e. “No data subject was harmed in the making of this AI”.

We covered a lot of the procurement side of this in our recent work on AI, data and business models. But that raised a question: what is it that procurers should ask for when procuring data-driven products and services? And what does good look like – or, at a bare minimum, what does adequate look like?

At the most practical level, what should someone wanting to follow best practice actually do?

And just as importantly, who should do what?

In a world of the Five Safes, Trusted Research Environments (TREs) and openSAFELY, and as the role of independent third parties becomes increasingly viable, those who wish to follow more dangerous ‘legacy practices’ with data will be unable to provide and evidence equivalent assurances – and their offerings will therefore be at a significant disadvantage in the market.  

A trustworthy TRE records exactly what data was used in each analysis, and can report that back to its users and to those who read their analyses. Academic journals often require copies of data to be published alongside an academic paper, which is not possible for health data (and if someone were to make that mistake would be catastrophic), but this certificate could act as a sufficient proxy for confidence and reproducibility.

If you are running the data ‘in your own basement’, there’s no way for anyone to know what you did with it beyond simply trusting you. In health analyses and with health and care data, that isn’t enough – and it should certainly not be the basis for procurement decisions.

So, as before, we decided to mock something up.

Trusted Research Environments which facilitate transparent data assurance like this, and which automate the provision of evidence of compliance with the rules – Data Protection, Information Governance, Equality, or otherwise – will be offering advantages for their users over those which do not. And any TRE that does not report back to its users how its safety measures were used will clearly not be helping its users build confidence in the entire research process.

While they may claim to be “trusted”, organisations that fail to provide every project with an ‘Analysis and Input report’ cannot be seen as genuinely trustworthy.

[2021 blog post in the series]

Across Government data and digital is too often used solely to help civil servants to make decisions, rather than benefitting all stakeholders.

There is little sign this inequity will be addressed under current structures or priorities, but as Government thinking evolves around the structure of the new Information Commissioner, CDEI should also be fundamentally restructured so as to receive and consolidate a much wider range of inputs – including lay members (DHSC’s former National Information Board had six, for example). Without wide-ranging input, data in Government shall continue to make rookie mistakes such as those of the ONS / GDS Data Standards Authority.

There are alternatives to creating many ‘pools’ of data around Whitehall and simply hoping no-one makes a mistake. Built for the pandemic, and with appropriate governance within and beyond it, the model of openSAFELY could apply across the rest of Government – especially for monumental failures like the National Pupil Database at DfE.

While it is self-evident that the vision of the forthcoming National Health Data Strategy should be to maximise the health of patients within the NHS, the vision of a National Care Data Strategy is less clear. Is it only to maximise the health and health outcomes of those to whom care is provided, or do quality of care and quality of life have other dimensions? Whatever is decided, as the Health and Care systems move towards integration, those two goals must align – but it shows how far apart things are that to talk of (the state of) Health and Care data as if they are even remotely equivalent is quite clearly nonsense.

As the pandemic has brutally illustrated, there is no data strategy for social care – and no evident plan to move towards one. Given every journey must begin with a single step, something like this might work.

Health and Care ‘moving parts’

Whenever NHS legislation is next put to Parliament, the National Data Opt-out should be placed on a statutory footing. Aside from guaranteeing patient choice and underpinning trust, this will provide proper democratic scrutiny of official choices such as the one which the National Data Guardian highlighted in her recent annual report – page 11, right column – where NHS Digital, NHSX, and DHSC decided it wasn’t in their interests for patients to see how data about them is used. Should government attempt to defend that position, when the push-poll and focus group used to come up with it are more widely known, the u-turn will be more embarrassing than fixing it now. 

In a similar vein, transparency on access to patients’ details via APIs (whether new ones for COVID-19 or pre-existing ones, such as for the Summary Care Record) would also begin to address the ‘creepy single doctors’ problem that has been exacerbated by the widening of access in a time of reduced oversight. And that some in Government still wish to use patient records for funding and “decommissioning” decisions (para 2) is unlikely to be wise.

Government argues that new business models are the way the NHS and the Life Sciences Industrial Strategy will get them out of the hole they’ve created. Trillion-dollar tech fantasies abound. But while the conflicts of interest amongst advocates of this strategy are clear, whether it will work is not. 

National Data Strategy (outside of health)

The NDS is a “pro-growth” data strategy, which is an entirely appropriate mission for DCMS – but it creates a fundamental conflict of interest in its sponsorship of the ICO as regulator, and its role in choosing the replacement for the current Information Commissioner. For this if not other reasons as well, the ICO should move back to being Departmentally sponsored by the Ministry of Justice, to underline the fundamental importance of following the law and to ensure the principles of justice apply to all data use, as well as to quasi-judicial decision making by the regulator.

A data strategy for the UK should first and foremost respect the rights and freedoms of every data subject, and aim to provide the greatest net-benefit to the whole of the UK – yet there is no compelling vision in the strategy; no clarion call. There is also no testable hypothesis in the strategy, by which its success (or otherwise) can be known. It is likely no single vision acceptable to all stakeholders could have got through write-round – not least because the unreformed, institutionally-ignorant Home Office will not accept a nuance that is in the public’s interest (for example, PHE / Test&Trace / police data sharing).

As written, there is no explicit difference in the National Data Strategy between personal data and data about objects. Lacking specificity, much of the strategy that is intended for one could be used for the other, thereby creating effects entirely unintended by the authors. A recent misstep by the new “Data Standards Authority” illustrates the sort of harm that can be caused when ‘generic intent’ overrides substantive nuance.

After a summer tainted by “mutant algorithms” in education, nothing would say understanding data less than NHS England agreeing to run the COVID-19 vaccination database off a 66 million row Excel spreadsheet. (While a single worksheet can have a million rows, losing 65 million people should be relatively noticeable – plus they know to look… now.)

Enclosures:

• Dear Prime Minister
  • Do This First: Creating the Data and Information Commission 
• Social care 
• National Data Strategy response – top sheet
  • National Data Strategy detailed read through
  • The choices of the Data Standards Authority
• Offline harms 2
• PHE letter
• Net Assessment of pre-Covid analysis, which predates openSAFELY
  • OpenSAFELY in the rest of Government

[this was written in stages from 2020 to June 2024 – edits after 2020 are dated]

Over the last year, medConfidential has been examining the systems and information flows in and around Universal Credit – a key example of what the former UN Rapporteur on Extreme Poverty, Philip Alston, calls the ‘Digital Welfare State’.

Phil and Sam would like to thank the many organisations working on UC for their help and support, especially Child Poverty Action Group (CPAG). The project, funded by the Open Society Foundations, and working alongside front line support services, charities, campaigners and lawyers will continue.

Our first report looked at four key areas:

One focus (Annex 1) covers what DWP knows, and what it should know about how and when claimants are paid. DWP officials have denied to Parliament and the High Court that UC has access to information that HMRC holds; whether DWP didn’t ask, or if HMRC withheld that info from DWP is as yet unclear.

DWP’s own documentation tells claimants which months they will be thrown off Universal Credit due to DWP’s systems’ inability to read a calendar. And indeed the Court recently ruled, in a case brought forward by CPAG, that DWP’s “refusal to put in place a solution to this very specific problem is so irrational that I have concluded that the threshold is met because no reasonable [Secretary of State for Work and Pensions] would have struck the balance in that way.”

Annex 2 examines how risk based verification (RBV) has been used in the benefit system – in particular around housing benefit and council tax support, but elsewhere too – and what that reveals about DWP and fraud.

As we cover in Annex 2A, DWP documents imply UC has been designed so that GOV.UK Verify can never work for 20% of claimants, i.e. those deemed ‘high risk’, against whom 75% of ‘counter-fraud’ resources are targeted – whose cases may in fact be more complex than genuinely risky. (This mandatory ranking process, also known as ‘stack ranking’, is the same process that led to the 2020 A-level grading fiasco.)

Annex 3 takes a deeper dive into how the wider Government fraud agenda impacts on DWP, noting that while DWP may keep trying to keep things secret from both the public and Parliament, the Cabinet Office has recently instituted Government-wide oversight of ‘Fraud and Error’…

Annex 4 addresses DWP’s response to COVID-19, and its effects on UC information flows; what changed, and what didn’t. Annex 4B briefly also covers the ‘home testing’ process for COVID, which uses DWP and Government ‘counter-fraud norms’ – i.e. a credit history check on every applicant – a process DWP is considering as it’s ‘in-house’ identity approach “to replace Verify”.

Annex 5 lists the burdens upon burdens loaded by digital services upon the poorest and least able to cope; Annex 6 looks at what can be done to address those who UC currently doesn’t serve well, with Annex 7 focussing on new mothers who have a new baby and much new bureaucracy. Annex 8 looks at the new development of Superapps for Government.

And, bringing things all together, the core report covers the core parts of UC, and serves as a reference point for our ongoing and future work, followed by a short closing report.

As this work was done chronologically, you may wish to begin with the Annex that interests you most – or, if you prefer, read the Annexes in order and then the main report.

• Annex 1: HMRC-DWP ‘Real Time Information’ income sharing – how HMRC collects information on payments from employers, how this is fed to DWP, and what DWP does (and doesn’t) do with it.
  • Annex 1A : After the Johnson and Pantellerisco court cases (October 2020)
  • Annex 1B: Opportunities around Statutory Instrument 2020/522 (November 2020)

• Annex 2: Risk Based Verification (RBV) – how RBV is used both by local authorities and across DWP, and how to examine its use (and misuse) in practice. Also how it is outsourced.

• Annex 2A: ‘Identity Verification in UC for the most complex claims’

• Annex 3: Responding to Fraud and Error as a Government Profession and in Practice – Government has created a ‘profession’ out of fraud hunting; we examine the practical effects of the culture and practices of this ‘profession’ across DWP and more widely.

• Annex 4: COVID-19 and the Welfare State – top sheet and overview; proactive and responsive analysis and proposals are in the sub-Annexes:
  • Part 4A: What changed and what didn’t?
  • Part 4B: COVID Credit Checks (June 2020)
  • Part 4C: ‘Sending money next week’ (early March 2020)
  • Part 4D: ‘What DWP did instead’ (26 March 2020)
  • Part 4E: Written Evidence to Parliament (responding to Oral Evidence by DWP) (April 2020)
  • Part 4F: Supplementary Illustrated and Written Evidence following our Oral Evidence (also based on other parts of our report) (July 2020)
  • Part 4G: Righting any wrongs – opportunities illustrated by SI 2020/522 (November 2020)
  • Part 4H: A worked example of Inclusive Data Collection (March 2021, part of our submission to the Inclusive Data Taskforce)
  • Part 4J: COVID successes and otherwise – The UC signup peak (February 2022)

• Annex 5: Burdens upon Burdens: (December 2021)
  • Annex 5A: DWP and health (April 2021)
  • Annex 5B: DWP’s UC release schedule (March 2021)
  • Annex 5C: DWP’s planning timescale (March 2021)
  • Annex 5D: Digital failure – Home Office (April 2021)
  • Annex 5E: HMRC’s CH2 form (June 2021)
  • Annex 5F: Complaint numbers and tribunal losses (August 2021)
  • Annex 5G: Access to Forms (August 2021)
  • Annex 5H: Carers Allowance and Attendance Allowance (December 2021)
  • Annex 5J: Settled Status Revisited (December 2021)
  • Annex 5K: Changes to the UC Taper Rate (December 2021)
  • Annex 5L: NCC1 form (December 2021)
  • Annex 5M: PIP/DLA (August 2022)
  • Annex 5P: A/B testing has legal obligations that are not being met (March 2021)
  • Annex 5Q: A/B test example – two factor authentication for claimants (March 2021)
  • The 2021 Spending Review (June 2021)
  • Public discovery note: What is not automated? (September 2020)

• Annex 6 – Collect bank details of everyone: small implementation steps to enable future policy choices (August 2022)
  • Annex 6A: increasing the availability of flexible policy options (August 2022)
  • Annex 6B: More flexible payments (August 2022)
  • Annex 6C: DWP’s arguments against split payments (are all flawed) May 2023
  • Annex 6N: DWP and Nudge (August 2021)

• Annex 7: Baby then Bureaucracy – the paperwork of new parenthood (December 2021)
  • Annex 7A: Mothers and Gov.UK accounts (December 2021)
  • Annex 7B: Anecdata on Digital Disengagement (March 2022)

• Annex 8: Government Super-Apps (June 2024)
• Annex 8B: Developing digital services in government (aka the Queue, Jira) (June 2024)

• Core report: ‘Decoding the Algorithm and Data Choices in DWP’s Monster Factory’ 
• Closing report: Government desires over user needs (June 2024)

Wider lessons for Government

DWP chose what to automate, and those choices primarily benefited DWP.

Annexes 2A, 3, and 5 contain wider lessons for government, that Departments would already know if they had cared to look; but sometimes the best internal lessons come from outside.

DWP’s own documentation tells claimants which months they will be thrown off Universal credit due to DWP’s systems’ inability to read a calendar. CPAG recently won a case against DWP, where the judge said:

DWP’s “refusal to put in place a solution to this very specific problem is so irrational that I have concluded that the threshold is met because no reasonable [Secretary of State for Work and Pensions] would have struck the balance in that way.”

UC is a large canary in the coal mine, but the ‘fraud’ approach is metastasising across government and will have consequences for all Government uses of data.