Just say no

On Friday December 16th 2016, I had a routine eye test. The optician noticed swelling on the optic discs at the back of my eye, and I was dispatched to the Manchester Eye Hospital to attend their Emergency Eye Clinic. This is basically A&E for eyes, a mix of swollen eyelids, sudden blindness and people who should have just gone to an optician. I arrived at 2.45pm, and fairly quickly, I was put in the ‘people who need to be seen’ pile. However, this meant waiting for the next available doctor, and like any A&E, the wait was long.

At 5.30, having waited in a dull holding area (with the files of other patients unattended and clearly visible), I was seen by a doctor. At this point, I was bored and worried, desperate to go home but desperate to find out what was going on in my head. Swollen discs can mean all sorts of things, you see, but one of the things Google told me that they can mean is Brain Tumour.

The doctor was terrible. He examined my eyes, pulled faces, and asked lots of questions about the medical history of my family without explaining the significance of any of them. In the middle of that barrage of questions was this one: ‘Any history of tumours in your family?’. Of course, having sat there for nearly three hours with only Google Searches That Spell Imminent Death for company, this question fired out of nowhere was just perfect. After the obligatory disappearance act to consult with a more senior doctor, I was told that they wanted to scan my brain in case “God Forbid” there was a tumour in there.

I was shunted back into another holding area, then at around 7pm a very sympathetic nurse inserted a cannula into my arm so that they could put a dye into my bloodstream when scanning me (a process that never actually happened) and explained ‘We’d like to do a CT scan’. She told me where to go, and because I was evidently in a bad place mentally, made clear that if I wanted to go for a walk before the scan, that would be fine. At length (and after it became clear that the people doing the CT scan weren’t actually expecting me), I had the scan. Several hours later, they decided I had high blood pressure and I went home at 10.45pm.

Looking at the whole thing as a Data Protection professional rather than a patient, the thing that leapt out at me at the time were the boxes of paper records left unattended. During the day, the holding area I was sitting in is very busy, with at least one member of staff behind the desk able to prevent access. When I was there on the Friday evening, there were long stretches when I could have got behind the desk and read the files, and nobody would have known. It’s an open question as to whether a patient left alone with unattended medical records is a ‘personal data breach’ that would have to be reported to the Information Commissioner.

In retrospect, there is a more interesting question. Carrying out a CT scan is processing personal data – it involves the creation of a scan of the patient’s brain which is plainly sensitive personal data (under GDPR, special categories data). So, what condition did Manchester Eye Hospital have for processing my personal data, and did they provide me with adequate fair processing?

Here’s the thing: they didn’t have my consent and I suspect they think they did. They probably didn’t have Data Protection Act consent, but they definitely didn’t have GDPR standard consent. I’m sure many readers will disagree. Surely my lying down to have the scan is a “clear affirmative action”, signifying my agreement to the processing?

Well, it’s not that simple. First, there is the lack of fair and transparent processing. I was told why they wanted to do the scan, but I wasn’t told who would get access to it (which in today’s NHS could be Google), how long it would be kept for, what legal basis they were relying on and so on. Even if the DPA doesn’t demand this now, it’s hard to argue that the processing would be fair unless I was told these things. Moreover, without any fair processing, any consent I gave would not be informed and specific.

The second problem is that my consent was not freely given. I was tired after hours of sitting around, I had been given limited information by a doctor with poor communication skills and frankly I was scared that I had a brain tumour. I hadn’t eaten and or drunk very much, and my phone was dead so I couldn’t discuss it with anyone else. I do not believe I had the capacity to freely give my consent to have my brain scanned. At no point did anyone say ‘Do you consent to having your brain scanned?’, it was couched in passive language: we would like to do this, and if I didn’t object, my consent was assumed.

Then there is the power imbalance – people like to talk about ‘Our NHS’ as if we all collectively own it, but that’s bullshit. Surrounded – outnumbered – by doctors and nurses who want to do something, it’s hard to say no. Indeed, I am aware of cases where a person who refuses to do what the doctors want have been sectioned. Admittedly, as a white, middle-aged, middle-class man, I’m probably less likely to be subjected to this, but who knows. What would they have done if I had said no?

In this context, recital 43 of the GDPR is worth reading:

consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation

I think the power imbalance between the assembled medical staff and me made it impossible for me to say ‘no’, especially when considering the specifics of the situation. I had gone from a routine eye appointment to a request for a brain scan to find out if I had a brain tumour. My ability to make decisions was fried. A few months later, I got up at 7am on a Sunday to drive to Trafford Hospital where some improbably chirpy technicians did an MRI on my head. That interaction was certainly closer to consent than the CT scan, but strictly speaking, nobody asked my consent. It was a lot better, but by no means the only way in which the NHS processes data.

Since my diagnosis of high blood pressure, I have spent an afternoon in a specialist diagnostic ward in one hospital, had the above MRI in another, had separate MRIs and ultrasound scans on my kidneys, a shedload of blood tests and monthly appointments at my GP. My GP aside (who is excellent at explaining everything), the standard of fair processing in all my interactions with the NHS since last December has been lamentable. I don’t know who gets access to my data, I don’t know what for, and nobody has told me how to find out. There may be a privacy notice somewhere on a website but I don’t know where it is and nobody told me how to find it.

I respect and trust my GP. Every nurse I have met, even those briefly sticking a needle in my arm, has been exemplary. The team at the ARMU at Wythenshawe Hospital are superb, both at medicine and communication (in fact, every experience I have had there has been good). But for all the fact that I can be a troll sometimes, I have never caused as much hostility and frustration as when I give my honest opinion about my experiences in the NHS. People are angry with me if I speak my mind. Criticising the NHS is modern-day blasphemy. I’m only writing this blog now because it looks like my eyes are getting better and I probably haven’t got a brain tumour (although the fact that the hospital lost the brain MRI for several months because of the virus infection in May dents my confidence in this). I worry about pointing out the Eye Hospital’s failings because I do have to go back there. Do I want to be treated by people who know that I have criticised them online? This is the power imbalance in a nutshell.

So what’s my point?

The GDPR is built on an improved model of Data Protection – organisations should be transparent, and wherever possible, subjects should be empowered. One of the most important elements in this relationship is the proper treatment of consent. Ironically, given the number of ill-informed articles claiming that GDPR requires consent for data processing, a significant effect of GDPR should be to reduce reliance of consent. Organisations, especially those like the NHS who purport to rely on it, should be much more honest with people. Sometimes you don’t have a choice at all and a thing is going to happen whether you like it or not (HELLO, ROYAL FREE HOSPITAL). Sometimes, there isn’t a real choice – ask me whether I want you to find out whether I have a brain tumour, and honestly, the answer’s no. Rationally, the answer’s probably, ‘OK then’, but it’s not much of a choice and in my case, the question wasn’t even posed.

The NHS is going to breach the GDPR as much in spirit as in practice if it continues in its dubious mantras of implied consent and ‘no decision about me without me’. The fact that a person doesn’t have to be physically forced into the scanner does not mean that they have consented, especially if they haven’t been told clearly and directly how that data will be used. In many situations throughout the NHS, medical professionals think they have consent, tell each other they have consent and they don’t. There are other options in the GDPR, of course, including a rock-solid legal condition for special categories data for the purposes of medical treatment and diagnosis. But many people in the NHS still think consent is their byword and it really isn’t.

For one thing, secondary uses for analysis and research either have to stop, or a much more open and transparent process has to be developed to contact people directly, either to be transparent or, if that’s the basis that being relied on, to seek consent. For all my many scans and blood tests since last December, I have to assume that none of them will ever be used for any purpose other than the direct diagnosis and treatment of my condition because I have never been given a hint that anything else will happen. But is that true?

For another, if the NHS is going to get to grips with GDPR philosophically, it has to be much more honest about the flawed nature of the consent it thinks it’s getting. For years, NHS staff have told me on training courses that a patient rolling up their sleeve is evidence of ‘implied consent’ to take blood (and by further implication, process the data that flows from the test). In fact, what they have at best is inferred consent; and with the power imbalance, possibly not even that.

We know for certain that the Information Commissioner will not tackle this issue because they are terrified of challenging such fundamental issues. Elizabeth Denham’s trumpeting of a slapped-wrist undertaking for the Royal Free Hospital’s misuse of 1.6 million people’s personal data was, at least for me, the final nail in the coffin of her credibility. As a friend of mine said, the chief role of each new Commissioner is make the last one seem better. I am not predicting fines or enforcement of any kind; it won’t happen. But the best thing about the GDPR is its recognition that we are human beings who deserve respect and autonomy. My experience of the NHS in Manchester is far from achieving that.

Tick here to confirm you haven’t read this

Every now and again, I have an argument on Twitter with Eduardo Ustaran, Head of Privacy and Information Law at everyone’s favourite law firm Field Fisher Waterhouse (for some reason, I can hear John Williams’ ‘Imperial March’ playing somewhere). Ustaran believes consent is unsuited to the world that we’re living in now, and that for privacy laws to work effectively, different methods are needed to regulate and protect data. I think that consent is just fine, and the problem is that some organisations don’t like obtaining consent because people say no.

It’s obviously a matter of opinion as to whether privacy has to adjust to needs of the digital world, or whether the digital world has to make concessions to privacy. However, there is a point on which I am certain Ustaran is wrong. He’s far from being the only person who says it (I’ve even heard senior people at the ICO trot out the same nonsense despite what their own guidance says, and Which? do it all the time), but Ustaran is a highly respected figure in the Data Protection and Privacy world, and his views carry weight. Therefore, I think it’s necessary to challenge them. In conversation with someone else, but using the all important . at the start of his tweet to declare “hey all of my followers, come see this thing I am saying”, Ustaran said this:

You nailed it. Consent can technically be “obtained” even when people are unaware, but transparency seeks awareness.

You can’t give consent without knowing it, Eduardo. No. No, you can’t. Whatever the above scenario is, whatever the organisations who have a pre-ticked box on their website saying ‘I have read your 47 page privacy policy’ think they’ve got, consent isn’t it. If the law asked for meaningless tick box gestures, it would be fine, but it doesn’t.

Instead, the EU Data Protection Directive sets out a strict test for consent. To use consent as the justification for using, sharing or selling personal data, the organisation must have a ‘freely given, specific and informed indication’ of the subject’s wishes. This is a high bar to clear.  You must have had a genuine choice (freely given), you must know what you’re agreeing to (informed), you must have agreed to something that has been properly defined (specific), and you must have done something active (indication). It’s entirely possible to do this without a tick box, but a tick box itself is nothing. There is no question that this makes life difficult for those who don’t have legal powers, obligations or contractual requirements. It makes the private sector’s ability to use data for purposes beyond those necessary for delivering a product or service quite tricky.  This is why, years ago, the Information Commissioner’s old Legal Guidance to the Data Protection Act effectively told Data Controllers that consent was a last resort:

The Commissioner’s view is that consent is not particularly easy to achieve and that data controllers should consider other conditions in Schedule 2… before looking at consent

I disagreed with Ustaran’s tweetings, saying that consent couldn’t be consent if it wasn’t freely given. His response was “I know, but how many times do you click on ‘I Accept’ without reading the Privacy Policy or Cookie Policy?”. Of course, the answer to this is that I always read them, but if Ustaran really believes that the people who don’t read them have consented, I don’t see how he can be right. In fact, I think he proves my point for me. Pretending that you’ve read a long-winded, technical, jargon-ridden, legalistic privacy policy is not providing a freely-given, specific and informed indication of your wishes. It’s the opposite. Ustaran doesn’t think people read privacy policies, so he has to accept that by ticking the box to say that they have, they’re not consenting. They’re ticking a box to move on. That’s all. And you don’t have to take my word for it.  Try this from the ICO’s recent ‘Direct Marketing’ guidance:

Organisations must make sure they clearly and prominently explain exactly what the person is agreeing to, if this is not obvious. Including information in a dense privacy policy or hidden in ‘small print’ which is hard to find, difficult to understand, or rarely read will not be enough to establish informed consent.

Ironically, a fair slice of the blame for the unreadable and therefore – in consent terms – useless nature of privacy policies comes from Ustaran’s profession, because lawyers clearly write the blasted things. Perhaps a privacy policy Ustaran would write would be a model of economy and simplicity, but most web-based T&Cs are written in congealed, prolix legalese. I wanted to use the WiFi in a hotel in Belfast yesterday, and I had to endure three pages of T&Cs and a linked Privacy Policy that had probably been written by Flywheel, Shyster, and Flywheel. If lawyers think that privacy policies are a legitimate way of getting consent, they need express themselves in plain English (or even better, have policies written by normal human beings) and find innovative ways of ensuring that the punter has read the policy. If organisations find it difficult to get the meaningful, legal consent that they need from people, this is neither the fault of Data Protection or the punters. Apply the notion of ‘don’t blame me, technically you consented’ to any other situation, and you’ll come out sounding like Roger Helmer.

There are several options. Rather than relentlessly blaming consent, those involved in obtaining it should look at what that consent is being sought for. Give people simple, meaningful choices. Level with the customer about how the internet is paid for, and how you expect them to pay for your part of it. Consider – and this still seems to be anathema to many – giving the owner of the data a cut of the money you intend to make. Tesco is the subject of much urban myth and paranoia about its ClubCard scheme (admittedly the T&Cs are far from perfect), and yet the business model is simple, sound and optional: they pay you with vouchers and offers for your data. Rather than rewriting reality in search of solutions to the consent problem that (I fear) might be more business than consumer friendly, this is the kind of transparency we should be looking for.