Categories
Tim Kelsey’s appearance on the Today programme was not illuminating. No compromise, no acknowledgement that the process has been badly handled, and the plan to slip leaflets about the process in with the pizza menus was on the advice of ‘competent marketing agencies’ (the sound you just heard was the launch of an FOI request about who they were and what they said). It must be nice to make such a fantastic hash of your job, and be capable of thinking you’re still a winner.
From the perspective of someone who is uncomfortable with the care.data process, I would have been happy had he promised a proper, personally addressed opt-out (which is better than what we have now). I would have been even happier had he promised consent. I wouldn’t say for certain that a fair version of care.data is impossible but I don’t think one will ever be offered. I doubt NHS England wants to spend the money on sending personally addressed letters to everyone, and they don’t respect their fellow citizens enough to choose consent, so I’m actually happy that Kelsey is sticking to his guns. Because we’re not going to get a fair, democratic version of the system, I’d rather he keep infantilising the public. This tactic has already led to two delays – a third try at the same patronising “engagement” will surely kill the scheme off forever.
However, one thing struck me about the interview. Justin Webb asked Kelsey the straight question of whether a letter would be sent to every affected citizen. Kelsey said that all options were on the table, but was keen to plug his ‘Get hip with the 21st Century’ bluster about direct mail not being the right way to communicate. We’re using the Vulcan Mind Meld, Grandad. On the basis that Twitter has hardly been a roaring success for the care.data campaign (look at the #caredata hashtag if you don’t believe me), I wondered whether there might be more to Kelsey’s statement than panicked airtime filling. If so, what else is he planning, because I think the expensive letter option is the only game in town?
It’s entirely possible that NHS England has no plans to contact citizens directly at all. I predict posters, the reappearance of the NHS smurfs in the cheapest conceivable TV ad breaks, or adverts on radio stations I don’t listen to because I am old. But let’s assume that Kelsey and NHS England are thinking about some kind of direct contact. What are the options?
POST
Writing to every citizen directly would be more or less legal in Data Protection terms. Assuming that NHS England has a reliable source for every person (not every address) in England, I believe that contacting everyone would be lawful and fair, even if they loaded the correspondence with propaganda. This is partly because Data Protection has its limitations, but also because there’s nothing in the DPA to say that you can’t contact people unless you have their permission, even if the correspondence is marketing. Unless NHS England sends everyone a bald postcard that says ‘we’re taking your data for research, here’s your opt-out’, it’s highly likely that the correspondence would be marketing. The ICO’s definition of marketing is far wider than simply the offer for sale of goods and services, but the DPA does not prevent an organisation from sending unsolicited marketing by post unless the person has used their Section 11 data protection right to opt-out.
Legally, I think that’s NHS England’s only option for direct contact. It is inconceivable that if they are going to pay to contact us all, NHS England would just provide a bald statement of the facts. They would (and you might think they are entitled to) provide the reasons why care.data is a good thing. I believe this fits solidly into the ICO’s definition of ‘promotion of ideals’, which makes post their only legal option.
AUTOMATED CALLS
Automated calls are universally loathed as a form of marketing, so I’m certain that a scheme as cack-handedly managed as this one will hover over the option of making them. Automated calls are much cheaper than live calls, but to make them, you have to step wholly outside Data Protection. The Privacy and Electronic Communications (EC Directive) Regulations 2003 (usually rendered as PECR, which you pronounce ‘pecker’ in order to get cheap laughs) state in regulation 19 that an automated marketing call can only be made if the subscriber (i.e. bill-payer) has “notified the caller” that they consent to receiving the call. That means explicit, opt-in consent for automated calls from NHS England. Nothing implied or inferred – they need active specific consent for automated marketing calls, or they can’t make them.
EMAILS (and as it happens TEXT MESSAGES)
The business sector did a smart lobbying job way back when PECR was drafted, so it is legally possible to send unsolicited business-to-business marketing emails, because PECR treats corporate subscribers (effectively organisations and their email addresses) differently from individual subscribers (i.e. an email account of any kind used solely for personal, home and recreational purposes). But for those individual subscribers i.e. you at home as a regular person, Regulation 22 has bad news for Kelsey’s 21st century engagement. The same rules apply – an active opt-in is the only option. The ‘Interpretation’ section of PECR makes clear that a text message is the same as an email, so the same rules apply – active opt-in. Even if NHS England can get hold of email addresses or mobile numbers (or exhort GPs to use the information they have), it is legally impossible to send messages about care.data unless they have active consent, or the messages are not marketing. And they will be marketing.
LIVE CALLS
I assume that live calls won’t be an option because they would be prohibitively expensive. However, just in case anyone is wondering, NHS England would have to screen all calls against the Telephone Preference Service list under PECR Regulation 21, ruling out millions of people (or making calls to them illegal).
Of course, these rules are routinely abused by Green Deal and PPI pests. The ICO’s efforts have been rather dismissively rebuffed by the First Tier Tribunal, so we await the Upper Tier to see whether the existing PECR rules can be properly enforced. But the difficulty of enforcing PECR does not grant NHS England permission to adopt the tactics of the snivelling spam-monger. PECR does not have public interest get-outs or exemptions. It applies to communications about care.data made by electronic means because they will inevitably be a promotion of NHS England’s ideals.
Of course, I may be way off. It’s entirely possible that the plan is for more soothing reassurance. It’s equally possible that care.data is dead, and nobody is willing to admit it yet. Given their stewardship of this so far, I doubt NHS England are above claiming that any contact would not be marketing, and going on a spam frenzy. The ICO – permanently on the back foot over care.data – would need to slap that down. But the Royal College for General Practitioners have demanded direct contact with patients, and it’s clear that their intervention (along with the BMA) has been decisive. Whatever options are on the table, NHS England does not have the legal consent necessary to contact patients by electronic means, even if they can get the data to do it. It would be illegal.
Time to warm up the franking machine.