The people who run NHS England and the Health and Social Care Information Centre never wanted to give the public a choice about whether their data would be mined and sold for research purposes (and the clumsy, ill-infomed opt-out that was dragged out of them isn’t a proper choice anyway). It should therefore come as no surprise – as the front page of today’s Telegraph makes clear – that the opt-outs have not been processed. Despite this, it’s full steam ahead: “the NHS has insisted that it will continue to sell medical data to insurers and other third parties“.

I’ve already seen questions on Twitter about the likelihood of the Information Commissioner taking action. If they do, it’s worth considering what the HSCIC and NHS England have actually done wrong. I’ve said this before, and I will say it again: is legal and does not require consent. Because of the powers that Parliament bestowed in the Health and Social Care Act 2012, consent is not required because a legal power exists that allows personal data to be extracted and shared. It doesn’t matter which way you slice it, had NHS England steamrollered through when they had the chance, this wouldn’t even be a story.

Ironically, it is the fact that NHS England bowed to the predictable but apparently unexpected backlash and offered their weedy compromise, achieved in part by that mealy-mouthed leaflet hidden among the pizza menus, that puts them in a pickle. All personal data must be processed fairly, and by telling all citizens that they had a right to opt-out of the sharing of their health data, NHS England created a set of clear expectations. They didn’t have to, but they did. So by not properly resourcing the opt-out process, NHS England and the Health and Social Care Information Centre have breached the first principle.

Lack of funding isn’t an excuse or a mitigating factor. The fact that they could have gone ahead and done all of this without the opt-out isn’t relevant either. Because the opt-out was offered, it is now part of the fairness package, and not to deliver on it is a breach.

The Information Commissioner has three options. The most obvious what is what we have had before: some strongly worded correspondence, alternating with hand-holding for their HSCIC friends (including a relatively new HSCIC IG officer who used to be at the ICO, working on The ICO dropped the ball spectacularly on, anxious to enable what they must have thought was an important undertaking by a valued stakeholder. David Smith, the Deputy Commissioner with responsibility for Data Protection, is keen to stress that the ICO can be an enabler, and before the public backlash is what that looks like.

Secondly, the ICO could issue a civil monetary penalty. Thousands of peoples’ data are being used unfairly, there is a serious breach of the first principle, and no doubt, many of those affected will be upset, annoyed or even distressed by the news. But the ICO has come unstuck at the First and Upper Tier Tribunal when trying to take action on distress, so I can understand why they might not favour this as an option.

The third option is the action they should obviously take, but I wonder if anyone in Wilmslow is bold enough. There is no damage or distress threshold for an Enforcement Notice, there is a clear step that the Information Commissioner can order the HSCIC to take (action all of the opt-outs, resourcing that in preference to the work on active data sharing), and there is a serious sanction underpinning an Enforcement Notice if it is not complied with (prosecution for the organisation or its board members). If the HSCIC believe that their power to obtain this information engages the Section 35 exemption in DP, which removes the requirement to process personal data fairly, they would be welcome to explain this to the Tribunal. I used to think that this might work for them, but I’m not so sure now and I’d be thrilled to see them try.

The ICO has tried stakeholder engagement and they got very little for the public as a result. I can understand why a CMP may seem a disproportionate and unattractive move. I fear they will do nothing. But if the Commissioner’ Office wants to show that it is serious about holding organisations to account for anything other than self-reported security incidents, they could have an Enforcement Notice out in days. It would be a huge sign that the Commissioner is willing to get into difficult territory to uphold their legislation rather than maintain pleasant relations with government. I would sing their praises if they took the opportunity. The question is, do they have the guts?

Dangerous Liaisons

We found this meeting to be productive and are pleased with the level of cooperation between our respective organisations” Letter from David Evans, Strategic Liaison, Information Commissioner’s Office, to Christine Outram, Director of Strategic Intelligence, NHS England, 26 September 2013


As the leaflet arrived in people’s homes in January, the ICO published a blog by Dawn Monaghan, Group Manager for Public Services in the ICO’s Strategic Liaison team. The blog described the NHS approach to the extraction of data from GP practices, the communication activities to underpin this, and the ICO’s role which – accurately – Monaghan described as limited. However, the blog did not stop short of effectively endorsing the process. Having summarised the plan to have posters and leaflets in GPs surgeries and a household leaflet drop, Monaghan’s blog stated: “We see this as a sensible approach” and “we would consider it likely that the fair processing requirements under the DPA would be met“.

Within days, the media was reporting on widespread concerns about the sensible approach. By the time of Tim Kelsey’s Comical Ali appearance on Radio 4’s Today Programme to say that everything was absolutely fine just before the whole thing was put on hold, Monaghan was interviewed to say that NHS England had not done enough. Christopher Graham later complained to the Independent that they’d wanted a direct letter all along.

This reaction to the mess was correct – it was the original, syrupy reassurance that was odd. The ICO is an independent regulator, there to ensure data protection compliance and, where necessary, to take enforcement action to back that up. And yet here they were, effectively saying ‘it’s all fine’. I thought it was bizarre that the ICO could give any backing to NHS England’s approach, but they seemed to find it necessary to be supportive until they saw which way the wind was blowing.

My concerns were shared. In September 2013, Dr Geraint Lewis, Chief Data Officer of NHS England was warned that the communications plan – the ‘sensible approach’ – was “essentially passive”. There were real concerns that “a number of patients would be unaware of what is happening to their personal data”. Lewis was informed that the approach – essentially the same approach that was delivered in practice – was almost certainly not an “adequate standard to ensure data protection compliance”. In October 2013, Rachel Merrett of NHS England received an email expressing concern about the household leaflet drop. There was a serious question about the leaflet’s effectiveness, arriving as it would along with stuff from “the local window cleaner and the Domino’s Pizza leaflet”, likely to be “scooped up and placed in the bin without being read”.

The author of these communications was Dawn Monaghan. I made an FOI request to the ICO for correspondence and meeting notes between the ICO and NHS England and the HSCIC. A large quantity of material was disclosed, virtually all of it recording the frequent contacts between Strategic Liaison – Monaghan, Evans and occasionally the head of the team Jonathan Bamford – and various NHS England and HSCIC civil servants. The biggest players, Information Commissioner Christopher Graham and Head of Patients and Information Tim Kelsey – make cameos as early on, the ICO fails to persuade NHS England to contact each patient directly.

It’s difficult to find a proper description of what Strategic Liaison does on the ICO’s website, but the aim seems to be to maintain good relationships with large data controllers ‘stakeholders’. This seems clear from a ‘Strategic Liaison Organisational Review’ document put forward by Bamford in March 2013, asking for more staff. More staff would help meet the ICO’s objectives to “maintain its influence in key areas and on key issues”. Another key benefit was to ensure that “stakeholder satisfaction levels will be maintained”. So how’s that influence working out for you?

In practice, Strategic Liaison’s activities look like the provision of lots of free advice with no real gain for compliance or the public. From the Commissioner through Bamford to Monaghan and Evans, and in particular, in emails in August 2013, it is clear that the ICO wanted a direct communication with each patient, and they wanted the leaflet to set out very clearly what the ICO called an ‘opt-out’ until they acquiesced to NHS England’s terminology of an ‘objection’. In reality, the leaflet drop went ahead, and it contains only a mealy-mouthed references to objecting. There is no form to register an objection or website to do so – on the last page, it simply tells the reader “ask the practice to make a note of this in your medical record”. Even NHS England’s preferred word ‘objection’ does not appear.

All the while NHS England and HSCIC pressured Strategic Liaison for detailed advice about who they think the Data Controllers are in various permutations of the process, and even when they got the answers, they demanded to know the background thinking. This resulted in Monaghan sending a detailed letter in November 2013, setting out the ICO position in detail. The average data controller, seeking concrete answers to such questions, would be told to whistle for it. Ring the helpline today and see if I’m wrong.

NHS England and the HSCIC clearly wanted the ICO to sign off their proposals. Even though an independent regulator should refuse this outright, several times, Monaghan refers to sign-off as something which cannot be done yet. In September 2013, an email states “Until this has taken place, the ICO could not offer an endorsement or agree that the process or communication plans would be compliant”, while later on it is unlikely that “we will be able to reach a point of endorsement or assurance until…”. The ICO is there to regulate, not to give approval, and yet it seems they contemplated endorsing the process. Indeed, what is Monaghan’s January blog, if not a tacit thumbs up? Typical of the way things worked is Monaghan’s statement on 12 August 2013 that “we do not wish to cause unnecessary delays to the project”. Delays to the project are not the ICO’s problem. If NHS England didn’t want to wait for ICO advice (advice I don’t think the ICO should have given), they should have got their answers from their own lawyers and hoped for the best, like most other Data Controllers have to do.

No matter how quickly the ICO changed their mind after the wheels came off, no matter how strong some of the correspondence is (Monaghan’s bracing September 2013 letter to Lewis is a standout), the overall mood is cooperative, ameliorating, persuasive, which might be OK if it worked. Teddy Roosevelt once advised a friend to ‘speak softly, and carry a big stick’. Strategic Liaison don’t have so much as a twig. The worst threat they offer is refusing to sign off the communication plan, something they should never have offered to do in the first place.

The only mention of enforcement action anywhere in the correspondence comes in an email from Rachel Merritt of NHS England in November 2013, trying to get confirmation from the ICO that they will take action if GPs opt out their patients in bulk. If the ICO cannot issue guidance on this issue, then NHS England has a number of options on the table: “If a large number of GP practices bulked block [sic] their patients, consideration would need to be given to whether we can continue to offer the objection”. Acknowledging the NHS Constitution’s guarantee of a right to object, Merritt continues that if the objection offer was withdrawn, “we could consider and refuse on this basis that we cannot provide a health service”. There is no evidence of how Strategic Liaison even reacted to this outrageous suggestion, but the friendly cooperation certainly continued. NHS England’s meeting notes from the back-end of 2013 even imply that the ICO was considering whether action against bulk opt-outs was possible.

Meanwhile, the HSCIC expressed concern about subject access request numbers escalating, and the meeting notes state “ICO to bring up with health priority cross officers group the issue of support for subject access requests”, and on 19 September 2013 “ICO agreed to work with the HSCIC if such requests significantly increased”. This offer of support is unacceptable on its own terms, but the ICO’s own Subject Access Code of Practice states “You should be prepared to respond to peaks in the volume of SARs you receive”. Every other Data Controller has to put in additional resources, but elite stakeholders get a promise of support. As we know, Strategic Liaison has to maintain their satisfaction levels.

I have complained before that the ICO’s use of the word ‘customer’ when they mean ‘complainant’ sends out the wrong message. The ICO is an ineffective ombudsman, and their recent decision to concentrate more on regulatory issues than making every complainant happy is probably a good idea on balance. I doubt it will work, but that’s a separate question. It’s essential for the ICO to be neutral and to send out the message that they’re on the side of the public is wrong. They serve Parliament, the Data Protection Act and the public interest. But equally, it is wrong for them to assist certain favoured ‘stakeholders’, facilitating them with monthly meetings, daily emails, and detailed advice on demand, especially not when the ICO’s own requirements (if you can call them that) are unmet. Would NHS England have sent a clear letter with an opt-out form to every individual if Strategic Liaison had promised them an enforcement notice if they didn’t? We’ll never know, but you don’t have to read much of the correspondence to see that this kind of thing isn’t in their vocabulary. The ICO needs to publish guidance, it needs to deal with complaints (i.e. make assessments) and in certain cases, it needs to enforce. Why does it need to make friends?

If there is any future compliance question about – particularly the issues of fair processing or data controllership – the ICO has been intimately involved in NHS England’s thought process. I don’t even think NHS England and HSCIC were cynically implicating Strategic Liaison – the approach of nuzzling up to stakeholders does that automatically. The days when the ICO didn’t even have an enforcement team are long gone, but Strategic Liaison represents an outdated strand of thinking. The senior people who ran the office when I was there – which was long, long ago – treated Data Protection as an extended debating society where everything could be settled with a civilised discussion. Strategic Liaison had a civilised discussion with NHS England, they didn’t get what they wanted, but in the end, was maintaining a good relationship an objective in itself?

The one question FOI doesn’t allow me to ask is what Strategic Liaison think they’ve achieved. was delayed again, and this time, the objection that NHS England had contemplated dropping is getting a statutory basis, but Strategic Liaison didn’t ask for these concessions. It’s probably more pleasant to maintain friendly relationships with big data controllers, but at least in this case, I can’t see what was achieved by it. The ICO has a mountain of FOI complaints, a difficult new approach to DP compliance to implement, a pile of enforcement and a new version of Data Protection on the horizon, all in a time of austerity. I wouldn’t keep Strategic Liaison going in the years of plenty, but we’re in famine now, and deploying some of the most experienced ICO staff to hold hands with an elite group of data controllers stakeholders is a waste of valuable people and resources.

Time for a new strategy.

A very long engagement

Tim Kelsey’s appearance on the Today programme was not illuminating. No compromise, no acknowledgement that the process has been badly handled, and the plan to slip leaflets about the process in with the pizza menus was on the advice of ‘competent marketing agencies’ (the sound you just heard was the launch of an FOI request about who they were and what they said). It must be nice to make such a fantastic hash of your job, and be capable of thinking you’re still a winner.

From the perspective of someone who is uncomfortable with the process, I would have been happy had he promised a proper, personally addressed opt-out (which is better than what we have now). I would have been even happier had he promised consent. I wouldn’t say for certain that a fair version of is impossible but I don’t think one will ever be offered. I doubt NHS England wants to spend the money on sending personally addressed letters to everyone, and they don’t respect their fellow citizens enough to choose consent, so I’m actually happy that Kelsey is sticking to his guns. Because we’re not going to get a fair, democratic version of the system, I’d rather he keep infantilising the public. This tactic has already led to two delays –  a third try at the same patronising “engagement” will surely kill the scheme off forever.

However, one thing struck me about the interview. Justin Webb asked Kelsey the straight question of whether a letter would be sent to every affected citizen. Kelsey said that all options were on the table, but was keen to plug his ‘Get hip with the 21st Century’ bluster about direct mail not being the right way to communicate. We’re using the Vulcan Mind Meld, Grandad. On the basis that Twitter has hardly been a roaring success for the campaign (look at the #caredata hashtag if you don’t believe me), I wondered whether there might be more to Kelsey’s statement than panicked airtime filling. If so, what else is he planning, because I think the expensive letter option is the only game in town?

It’s entirely possible that NHS England has no plans to contact citizens directly at all. I predict posters, the reappearance of the NHS smurfs in the cheapest conceivable TV ad breaks, or adverts on radio stations I don’t listen to because I am old. But let’s assume that Kelsey and NHS England are thinking about some kind of direct contact. What are the options?


Writing to every citizen directly would be more or less legal in Data Protection terms.  Assuming that NHS England has a reliable source for every person (not every address) in England, I believe that contacting everyone would be lawful and fair, even if they loaded the correspondence with propaganda. This is partly because Data Protection has its limitations, but also because there’s nothing in the DPA to say that you can’t contact people unless you have their permission, even if the correspondence is marketing. Unless NHS England sends everyone a bald postcard that says ‘we’re taking your data for research, here’s your opt-out’, it’s highly likely that the correspondence would be marketing. The ICO’s definition of marketing is far wider than simply the offer for sale of goods and services, but the DPA does not prevent an organisation from sending unsolicited marketing by post unless the person has used their Section 11 data protection right to opt-out.

Legally, I think that’s NHS England’s only option for direct contact.  It is inconceivable that if they are going to pay to contact us all, NHS England would just provide a bald statement of the facts. They would (and you might think they are entitled to) provide the reasons why is a good thing. I believe this fits solidly into the ICO’s definition of ‘promotion of ideals’, which makes post their only legal option.


Automated calls are universally loathed as a form of marketing, so I’m certain that a scheme as cack-handedly managed as this one will hover over the option of making them. Automated calls are much cheaper than live calls, but to make them, you have to step wholly outside Data Protection. The Privacy and Electronic Communications (EC Directive) Regulations 2003 (usually rendered as PECR, which you pronounce ‘pecker’ in order to get cheap laughs) state in regulation 19 that an automated marketing call can only be made if the subscriber (i.e. bill-payer) has “notified the caller” that they consent to receiving the call. That means explicit, opt-in consent for automated calls from NHS England. Nothing implied or inferred – they need active specific consent for automated marketing calls, or they can’t make them.

EMAILS (and as it happens TEXT MESSAGES)

The business sector did a smart lobbying job way back when PECR was drafted, so it is legally possible to send unsolicited business-to-business marketing emails, because PECR treats corporate subscribers (effectively organisations and their email addresses) differently from individual subscribers (i.e. an email account of any kind used solely for personal, home and recreational purposes). But for those individual subscribers i.e. you at home as a regular person, Regulation 22 has bad news for Kelsey’s 21st century engagement. The same rules apply – an active opt-in is the only option. The ‘Interpretation’ section of PECR makes clear that a text message is the same as an email, so the same rules apply – active opt-in. Even if NHS England can get hold of email addresses or mobile numbers (or exhort GPs to use the information they have), it is legally impossible to send messages about unless they have active consent, or the messages are not marketing. And they will be marketing.


I assume that live calls won’t be an option because they would be prohibitively expensive. However, just in case anyone is wondering, NHS England would have to screen all calls against the Telephone Preference Service list under PECR Regulation 21, ruling out millions of people (or making calls to them illegal).

Of course, these rules are routinely abused by Green Deal and PPI pests. The ICO’s efforts have been rather dismissively rebuffed by the First Tier Tribunal, so we await the Upper Tier to see whether the existing PECR rules can be properly enforced. But the difficulty of enforcing PECR does not grant NHS England permission to adopt the tactics of the snivelling spam-monger. PECR does not have public interest get-outs or exemptions. It applies to communications about made by electronic means because they will inevitably be a promotion of NHS England’s ideals.

Of course, I may be way off. It’s entirely possible that the plan is for more soothing reassurance. It’s equally possible that is dead, and nobody is willing to admit it yet. Given their stewardship of this so far, I doubt NHS England are above claiming that any contact would not be marketing, and going on a spam frenzy. The ICO – permanently on the back foot over – would need to slap that down. But the Royal College for General Practitioners have demanded direct contact with patients, and it’s clear that their intervention (along with the BMA) has been decisive. Whatever options are on the table, NHS England does not have the legal consent necessary to contact patients by electronic means, even if they can get the data to do it. It would be illegal.

Time to warm up the franking machine.

Doctor knows best

Dr Clare Gerada, who was until recently chair of the Royal College of General Practitioners, has written an article for The Times about, stoutly defending the scheme and its benefits for the public. The Times doesn’t give its stories away for free (a stance that they’re perfectly entitled to adopt), so if you want to read the article itself, you’ll either have to subscribe online or buy the newspaper like I did. Accompanying the comment piece is a short article in which she is quoted, perhaps less formally.

The article itself is familiar stuff. “We have nothing to fear” from Our data will be safe, secure, and used only for “proper and appropriate purposes”. Dr Gerada deserves credit for making clear that identifiable data will be shared outside the Health and Social Care Information Centre: she acknowledges that information will “not be anonymised at all times” because anonymised data only works in a limited number of circumstances. This frankness is refreshing, especially given the fevered Twitter commentary from NHS England’s apparently bewildered National Director for Patients and Information, Tim Kelsey, who still won’t admit that the exchange of a commodity for money is ‘selling’, or that pseudonymised data is identifiable. Only one statement in the comment piece really jars. Gerada describes the leaflet as “asking if we would like to share our data”: we’re being offered an opt-out, and it’s unreasonable to finesse it as being an active choice.

I am also wary of the notion that “Part of the compact to get a universal, free health service is to allow data to be used to monitor diseases, plan services, and look at trends in old and news diseases”. The NHS is not free; it’s just free at the point of delivery. We pay for the NHS with our taxes. Even the poorest pay tax on their weekly shop and the idea that we also have to pay for the NHS with our data is not part of any deal I have ever seen. A much wider debate is necessary on that before we can let that remark slide. Nevertheless, if you want to see the case in favour, Gerada’s comment piece is a well-informed and persuasive rehearsal of the NHS England position. It’s interesting that nobody directly involved in has been able to put the case as fluently and I have no hesitation in recommending it to you.

However if you do read it, permit me to suggest that you read the separate article, and compare what Dr Gerada says when commenting in the Times with what she says on Twitter. She opens her article with the mournful statement that we live in an “Age of Mistrust”. Perhaps one of the reasons is that those we need to trust turn out to have such clunking feet of clay.

Even the comment piece is misleading when put into context. Gerada states that those who do wish to avoid the “very low risk” of re-identification “should be allowed” to opt-out. That’s very generous, except Gerada doesn’t really believe it. On February 3rd, she said on Twitter “I dont think we should be able to opt out – but hey-ho”. She also said on 26th January: here and 25th January: here. There are other similar statements. I can’t find any evidence of a Damascene conversion in advance of her appearance in The Times. Gerada’s comment piece is designed to be reasonable and soothing but her views are actually much less sympathetic to any notion of choice. Should I trust someone who isn’t straight with people about what they really think?

This is bad enough on its own terms, but when you move to the comments in the accompanying article, it gets worse. Gerada is quoted as describing GPs who are opting their patients out unless they choose to opt in as ‘patronising’. She goes on to say that “It is not right for GP practices to make this decision on their patients behalf”. Gerada doesn’t think we should have a choice, but describes those who do as ‘patronising’. It’s an interesting choice of word, as when I used it on Twitter to describe Gerada’s approach to, she responded that she was “just opening up a debate. Will not continue now as clearly wrong”, and later observed that calling people patronising was evidence of “how easy it is to then become personal in the debate- hence squashing further debate.” I shouldn’t call her patronising, but it’s fine for her to smear her fellow GPs with the same word.

Perhaps I overstep the mark if I say that Dr Gerada has a patronising attitude towards her fellow citizens. It may be too much to assert that her article for the Times was hypocritical. It won’t help the ‘debate’ very much if I do. However, how helpful, how constructive is it for Gerada’s to summarise her opponents in this way: The Times quotes her as saying that the act of opting out is ‘selfish, a bit like people who don’t give their kids MMR for herd immunity’. Perhaps you can think of a comment more precisely designed to squash a debate, but I’m dry for now.

Those of us who say no are not simply concerned for our privacy and keen to be given a choice. We’re not even “conspiracy theorists” (which is what she called us earlier this week). We who say no are dangerous. Our decision to opt-out actively puts our fellow citizens at risk. Like Tim Kelsey’s loaded statement on the Today programme earlier this week that those who “do not trust the NHS” to protect their data can opt-out, Gerada’s comments on Twitter and to the Times journalists shows where we’ve got to: Us Versus Them, NHS Fundamentalists versus paranoid heretics. We’re through the looking glass, as one wise person put it to me, and now all that matters is faith. Do you believe in the NHS, or are you against it? All I need to do is finish my blog with a hysterical word like totalitarian or fascist – with due respect to Mike Godwin – and it just gets worse.

Like everything I have written on this subject both here and on Twitter, I doubt it will have any effect on your view of Either you already agree with me, in which case you will be even more convinced, or you don’t, and you will complain that I am making a personal attack on a respectable, dedicated public figure (needless to say, I have no doubt that Dr Gerada is a respectable, dedicated public figure, which is why I find her view of people like me so depressing). I cannot think of a single issue in my professional life that I have found more dispiriting than looking at this one. It’s become toxic and divisive. They don’t respect or trust Us, and We don’t respect or trust Them. There’s no hope of a resolution.

And another thing

Put on your anoraks, friends, we’re going to Data Protection land.

My objection to is that it is unfair – I believe that data should only be extracted from GP systems and used for research (no matter how beneficial) with consent. I am wary of’s hype-man Dr Tim Kelsey, who said on Twitter that the NHS would “never” compromise patient privacy. I know Twitter enforces brevity, but he had room for ‘knowingly’, ‘intentionally’ or ‘deliberately’ and he didn’t feel the need for any of them. Everyone who knows how the NHS works (or has worked in it) knows that compromises of patient privacy – both physical and in information terms – happen often, despite much effort to prevent them. Even if Kelsey only meant, it is still a promise he cannot possibly hope to keep. I am uncomfortable with the way the NHS Chief Data Officer – Dr Geraint Lewis – insists that receiving payment in return for information is somehow not ‘selling’ it (despite the universally recognised definition of ‘sell’ in any dictionary you choose) or that it is wrong to suggest that insurance companies will use data for insurance purposes when documents published by the Health and Social Care Information Centre say that they will.

However, on the narrower question of whether is legal, especially in terms of whether it is legal under the Data Protection Act, I don’t think there is much of an argument. It is legal. If you have a majority in Parliament, you can make a lot of things legal. The people organising it don’t need your consent and are not attempting to obtain it. The leaflet drop is no way to inform people about such a significant step, but I don’t think it is required.

Here’s why:


Consent cannot be obtained through an opt-out. The EU Directive on which the DPA is based and with which it must comply says that consent must be freely given, and be based on a positive indication of the subject’s wishes. How can the absence of something be consent? The answer is that it can’t. An unticked box is an unticked box and nothing more. The health sector has invented the concept of ‘implied consent’, but this is a misnomer. When they talk about ‘implied consent’, what they mean is ‘inferred consent’ – a person actively does something (for example, they willingly turn up for a test or an examination), and their consent to treatment and data processing can be inferred from their actions.

What is happening with is not an attempt to get consent because the Data Protection Act does not oblige an organisation to process data only with consent. It gives the organisation options – consent is one, and a legal obligation is another. GPs have a legal obligation to allow the data to be extracted (they have no choice) and that’s that. Consent is irrelevant. The opt-out is a legally unnecessary bonus offered by NHS England to get people like me off their backs – if you don’t like it (in Kelsey’s now deleted words, if you don’t want to make a contribution to society), opt-out. I think they could withdraw it, as I don’t see that the Health and Social Care Act 2012, which gives them the power to extract the data, obliges them to offer one.

Precisely why the health minister Dan Poulter told an MP in a written answer that the ICO may be involved in policing whether GPs have unusual amounts of opt-out is a mystery, as they have nothing whatever to do with it. The opt-out is for show; it’s not necessary for DP purposes.


Parliament decided that GPs would have a legal obligation to provide (or rather, not prevent the extraction of) the personal data. However, as the ICO – in the form of Dawn Monaghan’s blog – confirms, GPs are the data controllers of the information and are therefore responsible for data protection compliance up to and including the extraction. The ICO goes on to say that: “responsibility for letting patients know what is happening falls to GPs, as the data controllers

The first Data Protection principle states that the use of personal data must be fair. Schedule 1, Part II of the Data Protection Act sets out precisely how that must be done – by providing certain information. Dinosaurs like me call it ‘fair processing’, whereas the current Commissioner has rebranded it a ‘privacy notice’. The information that must be supplied is the identity of the data controller, the purposes for which the data is being processed and any other information specific to the situation required to make the processing fair (surprises like – for example – your GP data will be passed to insurance companies). So if you’re unhappy with the level of information you’ve received, even though isn’t their fault, you complain to your GP, because they are the data controller sharing the data, right?


Breath in: Schedule 1, Part II, Section 3 (2) (b) contains a caveat. The fair processing data must be supplied unless:

“the recording of the information to be contained in the data by, or the disclosure of the data by, the data controller is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract” (my emphasis)

The above was overly complicated; I had overlooked the obvious. Section 35 (1) of the DPA states  that personal data “are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court”. The non-disclosure provisions include all fairness considerations including fair processing.

In other words, the Data Protection Act says explicitly that if they are supplying the data in order to comply with a legal obligation, the GPs do not need to provide fair processing. The effectiveness of NHS England’s soft-soap leaflet is legally irrelevant, and if you complain to your GP about the information campaign, I think they’re in the clear.

If you think I’m technically incorrect here, by the way, feel free to comment. I sympathise with the GPs, so I think my interpretation has the small attraction of getting them off the hook, but if I’m wrong, I’d genuinely like to be put right.

But back on topic, precisely why the ICO does not want you to know this is something I cannot explain. I suspect that – like the legal precedent in the Durant judgment that says that subject access requests cannot be used for litigation – they regard it as an inconvenient truth that if they ignore, will go away. I suspect GPs will deal sympathetically with complaints from their patients, but they can turn the ICO away if it comes knocking. There is no threat there.

This is why I am appalled with Scrape away the hype and the window-dressing, and this is an authoritarian measure from which the relevant law offers no protection. Get something through Parliament, and the DPA is your poodle. That’s what happened here and even if you favour research, do you really think their means to your end is OK?

If you’re happy with, nothing here will convince you otherwise and nor should it. But if you’re unhappy with, face reality: consent is not required, the ICO’s powers are limited to what breaches they can find out about (AKA what they get told about), and even the opt-out is a non-statutory gift that can be removed. Quite why everyone including the ICO is pushing the GPs around is beyond me – we know who’s in charge, and they hold all the cards.