The people who run NHS England and the Health and Social Care Information Centre never wanted to give the public a choice about whether their data would be mined and sold for research purposes (and the clumsy, ill-infomed opt-out that was dragged out of them isn’t a proper choice anyway). It should therefore come as no surprise – as the front page of today’s Telegraph makes clear – that the opt-outs have not been processed. Despite this, it’s full steam ahead: “the NHS has insisted that it will continue to sell medical data to insurers and other third parties“.

I’ve already seen questions on Twitter about the likelihood of the Information Commissioner taking action. If they do, it’s worth considering what the HSCIC and NHS England have actually done wrong. I’ve said this before, and I will say it again: care.data is legal and does not require consent. Because of the powers that Parliament bestowed in the Health and Social Care Act 2012, consent is not required because a legal power exists that allows personal data to be extracted and shared. It doesn’t matter which way you slice it, had NHS England steamrollered care.data through when they had the chance, this wouldn’t even be a story.

Ironically, it is the fact that NHS England bowed to the predictable but apparently unexpected backlash and offered their weedy compromise, achieved in part by that mealy-mouthed leaflet hidden among the pizza menus, that puts them in a pickle. All personal data must be processed fairly, and by telling all citizens that they had a right to opt-out of the sharing of their health data, NHS England created a set of clear expectations. They didn’t have to, but they did. So by not properly resourcing the opt-out process, NHS England and the Health and Social Care Information Centre have breached the first principle.

Lack of funding isn’t an excuse or a mitigating factor. The fact that they could have gone ahead and done all of this without the opt-out isn’t relevant either. Because the opt-out was offered, it is now part of the fairness package, and not to deliver on it is a breach.

The Information Commissioner has three options. The most obvious what is what we have had before: some strongly worded correspondence, alternating with hand-holding for their HSCIC friends (including a relatively new HSCIC IG officer who used to be at the ICO, working on care.data). The ICO dropped the ball spectacularly on care.data, anxious to enable what they must have thought was an important undertaking by a valued stakeholder. David Smith, the Deputy Commissioner with responsibility for Data Protection, is keen to stress that the ICO can be an enabler, and care.data before the public backlash is what that looks like.

Secondly, the ICO could issue a civil monetary penalty. Thousands of peoples’ data are being used unfairly, there is a serious breach of the first principle, and no doubt, many of those affected will be upset, annoyed or even distressed by the news. But the ICO has come unstuck at the First and Upper Tier Tribunal when trying to take action on distress, so I can understand why they might not favour this as an option.

The third option is the action they should obviously take, but I wonder if anyone in Wilmslow is bold enough. There is no damage or distress threshold for an Enforcement Notice, there is a clear step that the Information Commissioner can order the HSCIC to take (action all of the opt-outs, resourcing that in preference to the work on active data sharing), and there is a serious sanction underpinning an Enforcement Notice if it is not complied with (prosecution for the organisation or its board members). If the HSCIC believe that their power to obtain this information engages the Section 35 exemption in DP, which removes the requirement to process personal data fairly, they would be welcome to explain this to the Tribunal. I used to think that this might work for them, but I’m not so sure now and I’d be thrilled to see them try.

The ICO has tried stakeholder engagement and they got very little for the public as a result. I can understand why a CMP may seem a disproportionate and unattractive move. I fear they will do nothing. But if the Commissioner’ Office wants to show that it is serious about holding organisations to account for anything other than self-reported security incidents, they could have an Enforcement Notice out in days. It would be a huge sign that the Commissioner is willing to get into difficult territory to uphold their legislation rather than maintain pleasant relations with government. I would sing their praises if they took the opportunity. The question is, do they have the guts?