Careless

The people who run NHS England and the Health and Social Care Information Centre never wanted to give the public a choice about whether their data would be mined and sold for research purposes (and the clumsy, ill-infomed opt-out that was dragged out of them isn’t a proper choice anyway). It should therefore come as no surprise – as the front page of today’s Telegraph makes clear – that the opt-outs have not been processed. Despite this, it’s full steam ahead: “the NHS has insisted that it will continue to sell medical data to insurers and other third parties“.

I’ve already seen questions on Twitter about the likelihood of the Information Commissioner taking action. If they do, it’s worth considering what the HSCIC and NHS England have actually done wrong. I’ve said this before, and I will say it again: care.data is legal and does not require consent. Because of the powers that Parliament bestowed in the Health and Social Care Act 2012, consent is not required because a legal power exists that allows personal data to be extracted and shared. It doesn’t matter which way you slice it, had NHS England steamrollered care.data through when they had the chance, this wouldn’t even be a story.

Ironically, it is the fact that NHS England bowed to the predictable but apparently unexpected backlash and offered their weedy compromise, achieved in part by that mealy-mouthed leaflet hidden among the pizza menus, that puts them in a pickle. All personal data must be processed fairly, and by telling all citizens that they had a right to opt-out of the sharing of their health data, NHS England created a set of clear expectations. They didn’t have to, but they did. So by not properly resourcing the opt-out process, NHS England and the Health and Social Care Information Centre have breached the first principle.

Lack of funding isn’t an excuse or a mitigating factor. The fact that they could have gone ahead and done all of this without the opt-out isn’t relevant either. Because the opt-out was offered, it is now part of the fairness package, and not to deliver on it is a breach.

The Information Commissioner has three options. The most obvious what is what we have had before: some strongly worded correspondence, alternating with hand-holding for their HSCIC friends (including a relatively new HSCIC IG officer who used to be at the ICO, working on care.data). The ICO dropped the ball spectacularly on care.data, anxious to enable what they must have thought was an important undertaking by a valued stakeholder. David Smith, the Deputy Commissioner with responsibility for Data Protection, is keen to stress that the ICO can be an enabler, and care.data before the public backlash is what that looks like.

Secondly, the ICO could issue a civil monetary penalty. Thousands of peoples’ data are being used unfairly, there is a serious breach of the first principle, and no doubt, many of those affected will be upset, annoyed or even distressed by the news. But the ICO has come unstuck at the First and Upper Tier Tribunal when trying to take action on distress, so I can understand why they might not favour this as an option.

The third option is the action they should obviously take, but I wonder if anyone in Wilmslow is bold enough. There is no damage or distress threshold for an Enforcement Notice, there is a clear step that the Information Commissioner can order the HSCIC to take (action all of the opt-outs, resourcing that in preference to the work on active data sharing), and there is a serious sanction underpinning an Enforcement Notice if it is not complied with (prosecution for the organisation or its board members). If the HSCIC believe that their power to obtain this information engages the Section 35 exemption in DP, which removes the requirement to process personal data fairly, they would be welcome to explain this to the Tribunal. I used to think that this might work for them, but I’m not so sure now and I’d be thrilled to see them try.

The ICO has tried stakeholder engagement and they got very little for the public as a result. I can understand why a CMP may seem a disproportionate and unattractive move. I fear they will do nothing. But if the Commissioner’ Office wants to show that it is serious about holding organisations to account for anything other than self-reported security incidents, they could have an Enforcement Notice out in days. It would be a huge sign that the Commissioner is willing to get into difficult territory to uphold their legislation rather than maintain pleasant relations with government. I would sing their praises if they took the opportunity. The question is, do they have the guts?

And another thing

Put on your anoraks, friends, we’re going to Data Protection land.

My objection to care.data is that it is unfair – I believe that data should only be extracted from GP systems and used for research (no matter how beneficial) with consent. I am wary of care.data’s hype-man Dr Tim Kelsey, who said on Twitter that the NHS would “never” compromise patient privacy. I know Twitter enforces brevity, but he had room for ‘knowingly’, ‘intentionally’ or ‘deliberately’ and he didn’t feel the need for any of them. Everyone who knows how the NHS works (or has worked in it) knows that compromises of patient privacy – both physical and in information terms – happen often, despite much effort to prevent them. Even if Kelsey only meant care.data, it is still a promise he cannot possibly hope to keep. I am uncomfortable with the way the NHS Chief Data Officer – Dr Geraint Lewis – insists that receiving payment in return for information is somehow not ‘selling’ it (despite the universally recognised definition of ‘sell’ in any dictionary you choose) or that it is wrong to suggest that insurance companies will use data for insurance purposes when documents published by the Health and Social Care Information Centre say that they will.

However, on the narrower question of whether care.data is legal, especially in terms of whether it is legal under the Data Protection Act, I don’t think there is much of an argument. It is legal. If you have a majority in Parliament, you can make a lot of things legal. The people organising it don’t need your consent and are not attempting to obtain it. The leaflet drop is no way to inform people about such a significant step, but I don’t think it is required.

Here’s why:

1) CONSENT

Consent cannot be obtained through an opt-out. The EU Directive on which the DPA is based and with which it must comply says that consent must be freely given, and be based on a positive indication of the subject’s wishes. How can the absence of something be consent? The answer is that it can’t. An unticked box is an unticked box and nothing more. The health sector has invented the concept of ‘implied consent’, but this is a misnomer. When they talk about ‘implied consent’, what they mean is ‘inferred consent’ – a person actively does something (for example, they willingly turn up for a test or an examination), and their consent to treatment and data processing can be inferred from their actions.

What is happening with care.data is not an attempt to get consent because the Data Protection Act does not oblige an organisation to process data only with consent. It gives the organisation options – consent is one, and a legal obligation is another. GPs have a legal obligation to allow the data to be extracted (they have no choice) and that’s that. Consent is irrelevant. The opt-out is a legally unnecessary bonus offered by NHS England to get people like me off their backs – if you don’t like it (in Kelsey’s now deleted words, if you don’t want to make a contribution to society), opt-out. I think they could withdraw it, as I don’t see that the Health and Social Care Act 2012, which gives them the power to extract the data, obliges them to offer one.

Precisely why the health minister Dan Poulter told an MP in a written answer that the ICO may be involved in policing whether GPs have unusual amounts of opt-out is a mystery, as they have nothing whatever to do with it. The opt-out is for show; it’s not necessary for DP purposes.

2) FAIR PROCESSING

Parliament decided that GPs would have a legal obligation to provide (or rather, not prevent the extraction of) the personal data. However, as the ICO – in the form of Dawn Monaghan’s blog – confirms, GPs are the data controllers of the information and are therefore responsible for data protection compliance up to and including the extraction. The ICO goes on to say that: “responsibility for letting patients know what is happening falls to GPs, as the data controllers

The first Data Protection principle states that the use of personal data must be fair. Schedule 1, Part II of the Data Protection Act sets out precisely how that must be done – by providing certain information. Dinosaurs like me call it ‘fair processing’, whereas the current Commissioner has rebranded it a ‘privacy notice’. The information that must be supplied is the identity of the data controller, the purposes for which the data is being processed and any other information specific to the situation required to make the processing fair (surprises like – for example – your GP data will be passed to insurance companies). So if you’re unhappy with the level of information you’ve received, even though care.data isn’t their fault, you complain to your GP, because they are the data controller sharing the data, right?

Wrong.

Breath in: Schedule 1, Part II, Section 3 (2) (b) contains a caveat. The fair processing data must be supplied unless:

“the recording of the information to be contained in the data by, or the disclosure of the data by, the data controller is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract” (my emphasis)

The above was overly complicated; I had overlooked the obvious. Section 35 (1) of the DPA states  that personal data “are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court”. The non-disclosure provisions include all fairness considerations including fair processing.

In other words, the Data Protection Act says explicitly that if they are supplying the data in order to comply with a legal obligation, the GPs do not need to provide fair processing. The effectiveness of NHS England’s soft-soap leaflet is legally irrelevant, and if you complain to your GP about the information campaign, I think they’re in the clear.

If you think I’m technically incorrect here, by the way, feel free to comment. I sympathise with the GPs, so I think my interpretation has the small attraction of getting them off the hook, but if I’m wrong, I’d genuinely like to be put right.

But back on topic, precisely why the ICO does not want you to know this is something I cannot explain. I suspect that – like the legal precedent in the Durant judgment that says that subject access requests cannot be used for litigation – they regard it as an inconvenient truth that if they ignore, will go away. I suspect GPs will deal sympathetically with complaints from their patients, but they can turn the ICO away if it comes knocking. There is no threat there.

This is why I am appalled with care.data. Scrape away the hype and the window-dressing, and this is an authoritarian measure from which the relevant law offers no protection. Get something through Parliament, and the DPA is your poodle. That’s what happened here and even if you favour research, do you really think their means to your end is OK?

If you’re happy with care.data, nothing here will convince you otherwise and nor should it. But if you’re unhappy with care.data, face reality: consent is not required, the ICO’s powers are limited to what breaches they can find out about (AKA what they get told about), and even the opt-out is a non-statutory gift that can be removed. Quite why everyone including the ICO is pushing the GPs around is beyond me – we know who’s in charge, and they hold all the cards.

An intelligent, grown-up debate

The Chair of the Health and Social Care Information Centre, Kingsley Manning, wrote to the Guardian this week to ask for “an intelligent, grown-up debate” about the sharing of GP-held health data with the HSCIC, so that it can then be accessed by researchers of various kinds. This bracing proposition was almost immediately undermined by NHS England’s launch of a video in which a woman with a London-based Civil Servant’s idea of a Northern accent cheerfully exhorts us to Trust The Government while some fake-smurfs do an NHS jigsaw. Even in his own letter, Manning showns the kind of debate he really wants to have by whining about semantics: “The data will be issued on a cost recovery basis and not “sold”.” If Manning is unwilling to accept the plain meaning of common words and thinks we’ll be convinced by some pious plasticene, the “debate” will remain the hurricane of bullshit it has been since the beginning.

I’ve opted out of care.data and that’s that. It’s none of my business what you do (but I have included links on how you can opt out at the end, if you want to). If you have opted out, fine. If you haven’t and don’t intend to, then you’re either basking in the warm glow of playing your part in a grand enterprise to save the lives of your fellow citizens, or the spreading warmth you’re experiencing is NHS England pissing contemptuously on your leg. Time will tell. But I believe that many of the people on Manning’s side of the argument (which is what it remains) are hurling around nonsense to make their case, so here’s my contribution. There are four assertions that I have a particular problem with, and this is why.

1) We’re all nice people and we’re definitely not going to do shit things with your data

The NHS leaflet states “Records are linked in a secure system so your identity is protected.” It is pointless to be sarcastic about the claim that a government IT project will be secure and will work as intended. Nobody believes this, right? If you don’t think that it will be hacked, will fall over, will end up riddled with inaccuracies and be a tempting target for thieves, I hope nobody ever fills you in about Father Christmas. That’s not the problem.

The problem with the leaflet is the specific nonsense, rather than the general. It mentions only “approved researchers”, rather than insurance companies and other private sector organisations. We are told “We sometimes release confidential information to approved researchers, if this is allowed by law”. The entire care.data wheeze wasn’t allowed by law a few years ago, and now it is. We’re not talking about tablets of stone. They’ve create the framework and make these promises now – if NHS England or someone else want to change the rules later, you didn’t opt-out so you’re stuffed. Even those of us who opt out are warned that our data could be shared if “allowed by law”.

After Leveson, the press relentlessly argued against the principle of state regulation for fear of what a future authoritarian government would do with such a lever. The mechanism for access to GP data exists; insurance companies will already get access in their guise as ‘approved researchers’. How hard is it to imagine a future government ‘allowing by law’ access to this data by the police, financial services and insurance companies, and a whole range of others? Think about the pile of data from a police perspective: access to information about every citizen in the country, all aggregated in one place? Don’t mind if I do!

This is not going to happen now; but if you haven’t opted out, your data will be aggregated with everyone else’s in one place, just waiting one of those magic laws that made this possible in the first place. We’ve experienced an authoritarian, surveillance-obsessed government desperate to court the private sector in very recent memory – what would Blair and John Reid have done with this? 

2) You already do privacy invasive things to yourself, so you should let us do some

I remember sitting in a stuffy office six or seven years ago while a civil servant from the Department for Education (or whatever it was called then) cooed about the wonders of Contact Point (or whatever it was called then). When challenged about what parents would say – especially as they would be complaining to us the Council, not the faceless department – she was dismissive. All those parents have already got ClubCards –  what’s the difference? Roy Lilley played this (Nectar) card in his blog, bewildered about the fuss. You give your data away all the time, so what is all the fuss about? This is just like having a loyalty card.

Care.data is nothing like having a Nectar Card. Sainsburys have not given themselves the legal power to force us all to have a Nectar Card, and then tossed out a poorly handled, badly-explained opt-out which many people won’t actually notice. Even if you opt into having a Nectar Card, you can opt-out of the marketing and some of the data sharing, while still enjoying the modest discounts. Admittedly, like care.data, all loyalty cards are sold in a disingenuous way – they don’t reward loyalty but pay a below market-value price for data about your shopping habits. But they are entirely optional and you can shop in the relevant stores without even having one. Oh, and Nectar collects data about shopping, not data about your health.

I don’t think people should use Facebook, especially not in the way they spray every last intimate detail of their private lives there. I don’t think people should announce on Twitter that they are on holiday (because burglars). I think people should close their curtains when they get changed (thinking of none of my neighbours in particular). But that shouldn’t feed a sense of entitlement. Quite the opposite; the state should be encouraging its citizens not to overshare, rather than using it as ammunition for a data grab. One pro care.data tweeter told me that if I was concerned about my privacy, I should stop using the internet. That’s right, because cookies using my browsing habits to show me adverts for things I bought two days ago is exactly analogous to information about my health being extracted and shared under rules I didn’t agree to, for purposes approved by unelected and unaccountable people I have never heard of. It’s the same. I feel so stupid now that you’ve explained it like that.

3) People won’t misuse data because it’s illegal

Lilley also raises the scary penalties argument, one also adopted on Twitter by Geraint Lewis, and by Manning’s Guardian letter. As Lilley puts it: “Does it mean an insurance company that also provides care could obtain it for one purpose and use it for another?  If they did it would be a criminal and civil offence in law and someone would go to jail.” No breach or offence in DP is punishable with a jail term, and Lilley should have done his research before asserting this. And besides, the whole murder being illegal has been a roaring success.

Of course, you’re perfectly entitled to believe that commercial companies involved in this process will definitely not attempt to re-identify the individuals – assuming that they haven’t been given identifiable data in the first place – and furthermore, you are more than welcome to tell me with a straight face that Commercial Companies Don’t Do Bad Things Like That. Go on. With a straight face.

So back in the real world, for the criminal sanction to be used, firstly, the Information Commissioner would have to find out. Bear in mind, what commercial companies could do is not obvious or attention-grabbing; they could factor the data into already complex and multi-layered calculations about insurance, for example. People may see premiums go up, they may even be refused insurance altogether, but the companies are not going to admit how this happened and it will probably be impossible to prove. Even if the ICO had evidence – beyond a reasonable doubt – that the insurance companies were misuing the data, there would first be an argument about whether the data was personal at all, and even if the ICO made the case, it is technically impossible for anyone to go to jail because the punishment for a criminal breach is a fine.

Of course, the ICO could – again assuming by some unexplained set of circumstances that they find out – take action for a civil breach of the DPA’s first and second principles, something Lewis suggested that they would do. But the maximum current fine is £500,000, so assuming that the ICO enforced at the maximum level, it would still probably be worth their while. And lest we forget, the ICO has issued 45 CMPs, and only 7 have been against the private sector. They have never issued a CMP for a 1st or 2nd principle breach.

The ICO taking on massive private sector organisations with huge budgets, pursuing either criminal or civil enforcement that they have never attempted before in any context, wrestling with the slippery concept of pseudonymised data (which most people struggle to pronounce, much less understand), based on evidence that I have no idea how they would source: that’s what’s going to stop the misuse of data.

I’m reassured: you?

4) If you don’t like it, you can opt-out

I expect my opt-out to be temporary. I don’t believe the people who want to do this have any respect for my wishes, and at some point, they will change the rules. It will either happen because enough of us opt out now to skew the results, or because in a year or so, somebody in NHS England will be emboldened because nothing obvious has gone wrong.

I don’t say this because I think the people running this scheme are evil or conniving. It’s quite the opposite. It’s only because they’re not evil, only because they’re so convinced that they’re doing the right thing that they’re able to treat their fellow citizens with such disrespect. It’s the same mentality that allows charities to get overbearing drama students to bully people in the street to sign up to direct debits, despite the huge slice of the donation that usually goes upfront to the company the students work for. You knew that, right?

But we are where we are. Our most private data is taken without consent, and the best we get is a leaflet sneaked out with the takeaway dross and a patronising cartoon. Anyone who has opted out of the Royal Mail’s unaddressed mail deliveries won’t get the leaflet. UPDATE: as Doug Paulley pointed out to me, people living in care homes and shared accommodate won’t see the leaflet. Anyone who is sick of the endless tide of pizza menus and offers for Sky won’t notice the leaflet and will bin it without reading it. Anyone who reads it is told to ring or go to see their GP – that’s right, waste the precious time of a medical professional to ask their advice on a privacy-invasive wheeze that GPs didn’t ask for, and yet might be punished for if they don’t get right.

There is no “an intelligent, grown-up debate” here. At the stroke of a legislative pen, intimate details of every citizen who is not plugged in to what is happening will be taken and exploited (even if for good reasons) by an establishment clique. Even if it could be guaranteed that not one scrap of data would be lost or misused, such an audacious assault on a society’s privacy should only be contemplated with permission. And the possibility of asking us for consent has never been on the table. Not for a moment. Instead, the fine folk who are running this scheme have treated their fellow citizens like children; there is no attempt to persuade, just a decision that because they can do this, they will.

UPDATE: I ranted all the way through this and didn’t include two crucial things: the addresses of those advising you how to opt out. Look at www.care-data.info or www.medconfidential.org. I included a stamped plain postcard with my opt-out letter and asked my GP to send it back to me to confirm receipt. They were kind enough to do so. Some practices are offering opt-outs online or accepting them via email.