A very long engagement


Tim Kelsey’s appearance on the Today programme was not illuminating. No compromise, no acknowledgement that the process has been badly handled, and the plan to slip leaflets about the process in with the pizza menus was on the advice of ‘competent marketing agencies’ (the sound you just heard was the launch of an FOI request about who they were and what they said). It must be nice to make such a fantastic hash of your job, and be capable of thinking you’re still a winner.

From the perspective of someone who is uncomfortable with the process, I would have been happy had he promised a proper, personally addressed opt-out (which is better than what we have now). I would have been even happier had he promised consent. I wouldn’t say for certain that a fair version of is impossible but I don’t think one will ever be offered. I doubt NHS England wants to spend the money on sending personally addressed letters to everyone, and they don’t respect their fellow citizens enough to choose consent, so I’m actually happy that Kelsey is sticking to his guns. Because we’re not going to get a fair, democratic version of the system, I’d rather he keep infantilising the public. This tactic has already led to two delays –  a third try at the same patronising “engagement” will surely kill the scheme off forever.

However, one thing struck me about the interview. Justin Webb asked Kelsey the straight question of whether a letter would be sent to every affected citizen. Kelsey said that all options were on the table, but was keen to plug his ‘Get hip with the 21st Century’ bluster about direct mail not being the right way to communicate. We’re using the Vulcan Mind Meld, Grandad. On the basis that Twitter has hardly been a roaring success for the campaign (look at the #caredata hashtag if you don’t believe me), I wondered whether there might be more to Kelsey’s statement than panicked airtime filling. If so, what else is he planning, because I think the expensive letter option is the only game in town?

It’s entirely possible that NHS England has no plans to contact citizens directly at all. I predict posters, the reappearance of the NHS smurfs in the cheapest conceivable TV ad breaks, or adverts on radio stations I don’t listen to because I am old. But let’s assume that Kelsey and NHS England are thinking about some kind of direct contact. What are the options?


Writing to every citizen directly would be more or less legal in Data Protection terms.  Assuming that NHS England has a reliable source for every person (not every address) in England, I believe that contacting everyone would be lawful and fair, even if they loaded the correspondence with propaganda. This is partly because Data Protection has its limitations, but also because there’s nothing in the DPA to say that you can’t contact people unless you have their permission, even if the correspondence is marketing. Unless NHS England sends everyone a bald postcard that says ‘we’re taking your data for research, here’s your opt-out’, it’s highly likely that the correspondence would be marketing. The ICO’s definition of marketing is far wider than simply the offer for sale of goods and services, but the DPA does not prevent an organisation from sending unsolicited marketing by post unless the person has used their Section 11 data protection right to opt-out.

Legally, I think that’s NHS England’s only option for direct contact.  It is inconceivable that if they are going to pay to contact us all, NHS England would just provide a bald statement of the facts. They would (and you might think they are entitled to) provide the reasons why is a good thing. I believe this fits solidly into the ICO’s definition of ‘promotion of ideals’, which makes post their only legal option.


Automated calls are universally loathed as a form of marketing, so I’m certain that a scheme as cack-handedly managed as this one will hover over the option of making them. Automated calls are much cheaper than live calls, but to make them, you have to step wholly outside Data Protection. The Privacy and Electronic Communications (EC Directive) Regulations 2003 (usually rendered as PECR, which you pronounce ‘pecker’ in order to get cheap laughs) state in regulation 19 that an automated marketing call can only be made if the subscriber (i.e. bill-payer) has “notified the caller” that they consent to receiving the call. That means explicit, opt-in consent for automated calls from NHS England. Nothing implied or inferred – they need active specific consent for automated marketing calls, or they can’t make them.

EMAILS (and as it happens TEXT MESSAGES)

The business sector did a smart lobbying job way back when PECR was drafted, so it is legally possible to send unsolicited business-to-business marketing emails, because PECR treats corporate subscribers (effectively organisations and their email addresses) differently from individual subscribers (i.e. an email account of any kind used solely for personal, home and recreational purposes). But for those individual subscribers i.e. you at home as a regular person, Regulation 22 has bad news for Kelsey’s 21st century engagement. The same rules apply – an active opt-in is the only option. The ‘Interpretation’ section of PECR makes clear that a text message is the same as an email, so the same rules apply – active opt-in. Even if NHS England can get hold of email addresses or mobile numbers (or exhort GPs to use the information they have), it is legally impossible to send messages about unless they have active consent, or the messages are not marketing. And they will be marketing.


I assume that live calls won’t be an option because they would be prohibitively expensive. However, just in case anyone is wondering, NHS England would have to screen all calls against the Telephone Preference Service list under PECR Regulation 21, ruling out millions of people (or making calls to them illegal).

Of course, these rules are routinely abused by Green Deal and PPI pests. The ICO’s efforts have been rather dismissively rebuffed by the First Tier Tribunal, so we await the Upper Tier to see whether the existing PECR rules can be properly enforced. But the difficulty of enforcing PECR does not grant NHS England permission to adopt the tactics of the snivelling spam-monger. PECR does not have public interest get-outs or exemptions. It applies to communications about made by electronic means because they will inevitably be a promotion of NHS England’s ideals.

Of course, I may be way off. It’s entirely possible that the plan is for more soothing reassurance. It’s equally possible that is dead, and nobody is willing to admit it yet. Given their stewardship of this so far, I doubt NHS England are above claiming that any contact would not be marketing, and going on a spam frenzy. The ICO – permanently on the back foot over – would need to slap that down. But the Royal College for General Practitioners have demanded direct contact with patients, and it’s clear that their intervention (along with the BMA) has been decisive. Whatever options are on the table, NHS England does not have the legal consent necessary to contact patients by electronic means, even if they can get the data to do it. It would be illegal.

Time to warm up the franking machine.


Dangerous Liaisons


We found this meeting to be productive and are pleased with the level of cooperation between our respective organisations” Letter from David Evans, Strategic Liaison, Information Commissioner’s Office, to Christine Outram, Director of Strategic Intelligence, NHS England, 26 September 2013


As the leaflet arrived in people’s homes in January, the ICO published a blog by Dawn Monaghan, Group Manager for Public Services in the ICO’s Strategic Liaison team. The blog described the NHS approach to the extraction of data from GP practices, the communication activities to underpin this, and the ICO’s role which – accurately – Monaghan described as limited. However, the blog did not stop short of effectively endorsing the process. Having summarised the plan to have posters and leaflets in GPs surgeries and a household leaflet drop, Monaghan’s blog stated: “We see this as a sensible approach” and “we would consider it likely that the fair processing requirements under the DPA would be met“.

Within days, the media was reporting on widespread concerns about the sensible approach. By the time of Tim Kelsey’s Comical Ali appearance on Radio 4’s Today Programme to say that everything was absolutely fine just before the whole thing was put on hold, Monaghan was interviewed to say that NHS England had not done enough. Christopher Graham later complained to the Independent that they’d wanted a direct letter all along.

This reaction to the mess was correct – it was the original, syrupy reassurance that was odd. The ICO is an independent regulator, there to ensure data protection compliance and, where necessary, to take enforcement action to back that up. And yet here they were, effectively saying ‘it’s all fine’. I thought it was bizarre that the ICO could give any backing to NHS England’s approach, but they seemed to find it necessary to be supportive until they saw which way the wind was blowing.

My concerns were shared. In September 2013, Dr Geraint Lewis, Chief Data Officer of NHS England was warned that the communications plan – the ‘sensible approach’ – was “essentially passive”. There were real concerns that “a number of patients would be unaware of what is happening to their personal data”. Lewis was informed that the approach – essentially the same approach that was delivered in practice – was almost certainly not an “adequate standard to ensure data protection compliance”. In October 2013, Rachel Merrett of NHS England received an email expressing concern about the household leaflet drop. There was a serious question about the leaflet’s effectiveness, arriving as it would along with stuff from “the local window cleaner and the Domino’s Pizza leaflet”, likely to be “scooped up and placed in the bin without being read”.

The author of these communications was Dawn Monaghan. I made an FOI request to the ICO for correspondence and meeting notes between the ICO and NHS England and the HSCIC. A large quantity of material was disclosed, virtually all of it recording the frequent contacts between Strategic Liaison – Monaghan, Evans and occasionally the head of the team Jonathan Bamford – and various NHS England and HSCIC civil servants. The biggest players, Information Commissioner Christopher Graham and Head of Patients and Information Tim Kelsey – make cameos as early on, the ICO fails to persuade NHS England to contact each patient directly.

It’s difficult to find a proper description of what Strategic Liaison does on the ICO’s website, but the aim seems to be to maintain good relationships with large data controllers ‘stakeholders’. This seems clear from a ‘Strategic Liaison Organisational Review’ document put forward by Bamford in March 2013, asking for more staff. More staff would help meet the ICO’s objectives to “maintain its influence in key areas and on key issues”. Another key benefit was to ensure that “stakeholder satisfaction levels will be maintained”. So how’s that influence working out for you?

In practice, Strategic Liaison’s activities look like the provision of lots of free advice with no real gain for compliance or the public. From the Commissioner through Bamford to Monaghan and Evans, and in particular, in emails in August 2013, it is clear that the ICO wanted a direct communication with each patient, and they wanted the leaflet to set out very clearly what the ICO called an ‘opt-out’ until they acquiesced to NHS England’s terminology of an ‘objection’. In reality, the leaflet drop went ahead, and it contains only a mealy-mouthed references to objecting. There is no form to register an objection or website to do so – on the last page, it simply tells the reader “ask the practice to make a note of this in your medical record”. Even NHS England’s preferred word ‘objection’ does not appear.

All the while NHS England and HSCIC pressured Strategic Liaison for detailed advice about who they think the Data Controllers are in various permutations of the process, and even when they got the answers, they demanded to know the background thinking. This resulted in Monaghan sending a detailed letter in November 2013, setting out the ICO position in detail. The average data controller, seeking concrete answers to such questions, would be told to whistle for it. Ring the helpline today and see if I’m wrong.

NHS England and the HSCIC clearly wanted the ICO to sign off their proposals. Even though an independent regulator should refuse this outright, several times, Monaghan refers to sign-off as something which cannot be done yet. In September 2013, an email states “Until this has taken place, the ICO could not offer an endorsement or agree that the process or communication plans would be compliant”, while later on it is unlikely that “we will be able to reach a point of endorsement or assurance until…”. The ICO is there to regulate, not to give approval, and yet it seems they contemplated endorsing the process. Indeed, what is Monaghan’s January blog, if not a tacit thumbs up? Typical of the way things worked is Monaghan’s statement on 12 August 2013 that “we do not wish to cause unnecessary delays to the project”. Delays to the project are not the ICO’s problem. If NHS England didn’t want to wait for ICO advice (advice I don’t think the ICO should have given), they should have got their answers from their own lawyers and hoped for the best, like most other Data Controllers have to do.

No matter how quickly the ICO changed their mind after the wheels came off, no matter how strong some of the correspondence is (Monaghan’s bracing September 2013 letter to Lewis is a standout), the overall mood is cooperative, ameliorating, persuasive, which might be OK if it worked. Teddy Roosevelt once advised a friend to ‘speak softly, and carry a big stick’. Strategic Liaison don’t have so much as a twig. The worst threat they offer is refusing to sign off the communication plan, something they should never have offered to do in the first place.

The only mention of enforcement action anywhere in the correspondence comes in an email from Rachel Merritt of NHS England in November 2013, trying to get confirmation from the ICO that they will take action if GPs opt out their patients in bulk. If the ICO cannot issue guidance on this issue, then NHS England has a number of options on the table: “If a large number of GP practices bulked block [sic] their patients, consideration would need to be given to whether we can continue to offer the objection”. Acknowledging the NHS Constitution’s guarantee of a right to object, Merritt continues that if the objection offer was withdrawn, “we could consider and refuse on this basis that we cannot provide a health service”. There is no evidence of how Strategic Liaison even reacted to this outrageous suggestion, but the friendly cooperation certainly continued. NHS England’s meeting notes from the back-end of 2013 even imply that the ICO was considering whether action against bulk opt-outs was possible.

Meanwhile, the HSCIC expressed concern about subject access request numbers escalating, and the meeting notes state “ICO to bring up with health priority cross officers group the issue of support for subject access requests”, and on 19 September 2013 “ICO agreed to work with the HSCIC if such requests significantly increased”. This offer of support is unacceptable on its own terms, but the ICO’s own Subject Access Code of Practice states “You should be prepared to respond to peaks in the volume of SARs you receive”. Every other Data Controller has to put in additional resources, but elite stakeholders get a promise of support. As we know, Strategic Liaison has to maintain their satisfaction levels.

I have complained before that the ICO’s use of the word ‘customer’ when they mean ‘complainant’ sends out the wrong message. The ICO is an ineffective ombudsman, and their recent decision to concentrate more on regulatory issues than making every complainant happy is probably a good idea on balance. I doubt it will work, but that’s a separate question. It’s essential for the ICO to be neutral and to send out the message that they’re on the side of the public is wrong. They serve Parliament, the Data Protection Act and the public interest. But equally, it is wrong for them to assist certain favoured ‘stakeholders’, facilitating them with monthly meetings, daily emails, and detailed advice on demand, especially not when the ICO’s own requirements (if you can call them that) are unmet. Would NHS England have sent a clear letter with an opt-out form to every individual if Strategic Liaison had promised them an enforcement notice if they didn’t? We’ll never know, but you don’t have to read much of the correspondence to see that this kind of thing isn’t in their vocabulary. The ICO needs to publish guidance, it needs to deal with complaints (i.e. make assessments) and in certain cases, it needs to enforce. Why does it need to make friends?

If there is any future compliance question about – particularly the issues of fair processing or data controllership – the ICO has been intimately involved in NHS England’s thought process. I don’t even think NHS England and HSCIC were cynically implicating Strategic Liaison – the approach of nuzzling up to stakeholders does that automatically. The days when the ICO didn’t even have an enforcement team are long gone, but Strategic Liaison represents an outdated strand of thinking. The senior people who ran the office when I was there – which was long, long ago – treated Data Protection as an extended debating society where everything could be settled with a civilised discussion. Strategic Liaison had a civilised discussion with NHS England, they didn’t get what they wanted, but in the end, was maintaining a good relationship an objective in itself?

The one question FOI doesn’t allow me to ask is what Strategic Liaison think they’ve achieved. was delayed again, and this time, the objection that NHS England had contemplated dropping is getting a statutory basis, but Strategic Liaison didn’t ask for these concessions. It’s probably more pleasant to maintain friendly relationships with big data controllers, but at least in this case, I can’t see what was achieved by it. The ICO has a mountain of FOI complaints, a difficult new approach to DP compliance to implement, a pile of enforcement and a new version of Data Protection on the horizon, all in a time of austerity. I wouldn’t keep Strategic Liaison going in the years of plenty, but we’re in famine now, and deploying some of the most experienced ICO staff to hold hands with an elite group of data controllers stakeholders is a waste of valuable people and resources.

Time for a new strategy.




The people who run NHS England and the Health and Social Care Information Centre never wanted to give the public a choice about whether their data would be mined and sold for research purposes (and the clumsy, ill-infomed opt-out that was dragged out of them isn’t a proper choice anyway). It should therefore come as no surprise – as the front page of today’s Telegraph makes clear – that the opt-outs have not been processed. Despite this, it’s full steam ahead: “the NHS has insisted that it will continue to sell medical data to insurers and other third parties“.

I’ve already seen questions on Twitter about the likelihood of the Information Commissioner taking action. If they do, it’s worth considering what the HSCIC and NHS England have actually done wrong. I’ve said this before, and I will say it again: is legal and does not require consent. Because of the powers that Parliament bestowed in the Health and Social Care Act 2012, consent is not required because a legal power exists that allows personal data to be extracted and shared. It doesn’t matter which way you slice it, had NHS England steamrollered through when they had the chance, this wouldn’t even be a story.

Ironically, it is the fact that NHS England bowed to the predictable but apparently unexpected backlash and offered their weedy compromise, achieved in part by that mealy-mouthed leaflet hidden among the pizza menus, that puts them in a pickle. All personal data must be processed fairly, and by telling all citizens that they had a right to opt-out of the sharing of their health data, NHS England created a set of clear expectations. They didn’t have to, but they did. So by not properly resourcing the opt-out process, NHS England and the Health and Social Care Information Centre have breached the first principle.

Lack of funding isn’t an excuse or a mitigating factor. The fact that they could have gone ahead and done all of this without the opt-out isn’t relevant either. Because the opt-out was offered, it is now part of the fairness package, and not to deliver on it is a breach.

The Information Commissioner has three options. The most obvious what is what we have had before: some strongly worded correspondence, alternating with hand-holding for their HSCIC friends (including a relatively new HSCIC IG officer who used to be at the ICO, working on The ICO dropped the ball spectacularly on, anxious to enable what they must have thought was an important undertaking by a valued stakeholder. David Smith, the Deputy Commissioner with responsibility for Data Protection, is keen to stress that the ICO can be an enabler, and before the public backlash is what that looks like.

Secondly, the ICO could issue a civil monetary penalty. Thousands of peoples’ data are being used unfairly, there is a serious breach of the first principle, and no doubt, many of those affected will be upset, annoyed or even distressed by the news. But the ICO has come unstuck at the First and Upper Tier Tribunal when trying to take action on distress, so I can understand why they might not favour this as an option.

The third option is the action they should obviously take, but I wonder if anyone in Wilmslow is bold enough. There is no damage or distress threshold for an Enforcement Notice, there is a clear step that the Information Commissioner can order the HSCIC to take (action all of the opt-outs, resourcing that in preference to the work on active data sharing), and there is a serious sanction underpinning an Enforcement Notice if it is not complied with (prosecution for the organisation or its board members). If the HSCIC believe that their power to obtain this information engages the Section 35 exemption in DP, which removes the requirement to process personal data fairly, they would be welcome to explain this to the Tribunal. I used to think that this might work for them, but I’m not so sure now and I’d be thrilled to see them try.

The ICO has tried stakeholder engagement and they got very little for the public as a result. I can understand why a CMP may seem a disproportionate and unattractive move. I fear they will do nothing. But if the Commissioner’ Office wants to show that it is serious about holding organisations to account for anything other than self-reported security incidents, they could have an Enforcement Notice out in days. It would be a huge sign that the Commissioner is willing to get into difficult territory to uphold their legislation rather than maintain pleasant relations with government. I would sing their praises if they took the opportunity. The question is, do they have the guts?