Shame

In the flood of positive PR for Freedom of Information’s 10th anniversary, a piece appeared in the Manchester Evening News that shows a possible downside of the legislation. The MEN is my local paper and the main hospital in the story is the closest to my house, but I didn’t notice it – it was highlighted on Twitter by Dr Ben Goldacre and then to me by Sarah White.

The story concerns individuals who make multiple visits to A&E departments, and in particular, the revelation that one person went to A&E at Wythenshawe Hospital more than 100 times in an 11 month period in 2014. Several individuals – including a child – are mentioned, including the number of times they attended and the hospital in question, although the reasons for attendance are not revealed. The information was obtained using FOI.

An (unnamed) spokesperson says: ““Due to patient confidentiality, we would not comment on individual cases” but the problem is, they already have commented on individual cases by releasing data at an individual level. Goldacre’s concern – encapsulated in a comment he put on the story – is that by releasing the information and facilitating comments, these individuals are being exposed to unkind comments from strangers. As one of the other (unnamed) spokespersons observed, one of the likely reasons for multiple A&E attendances is mental health issues. Imagine being the person who went to Wythenshawe 116 times last year, and reading your story, reading comments about what you have done being ‘disgraceful’. Admittedly, the MEN’s handling of the story isn’t as hysterical as it would be in the Dailys Mail or Express, but how long will it take for them to pursue a similar story?

What happens if the parents of the kid mentioned in the story realise that it’s their family who are the “A&E frequent fliers“, draining the resources of “embattled” local hospitals? What happens if, as a result of the shame (which I suspect is the intended effect of this story), they don’t take their kid to A&E next time? What happens if the alcoholic, the self-harmer, the domestic violence victim, the anorexia sufferer – what happens if one of them knows or suspects that they are one of the frequent fliers, and then they don’t attend when they need to?

I live in the same postcode as Wythenshawe Hospital, I frequently drive and cycle past it, and several people that I know and love have been treated there. The ‘frequent flier’ could be one of my neighbours, someone who shops at the local supermarket; if I wasn’t so resolutely anti-social, I might even know them. It’s not likely that I would be able to identify them, but University Hospital of South Manchester NHS Trust (UHSM), the public authority that runs Wythenshawe and answered the FOI request, have consciously set those hares running to make a point about the over-reliance on A&E. That woman who always has an ambulance outside her house, that woman who is always down at A&E, I bet it’s her.

I am about to fall into the worst FOI trap, one I mention every time I run an FOI training course. It’s almost impossible to say that any request is an abuse of what FOI is intended for, because FOI is not intended for anything. It has no purpose clause, nothing to say what you’re supposed to use it for. If the Manchester Evening News want to try to use it to get a quick headline at the expense of vulnerable people, they’re absolutely entitled to do so but they shouldn’t get the information. And here I jump into the trap: FOI is not for this. FOI is not there to expose citizens, it is to expose the organisations that serve them. We need to know that A&E departments are run properly, that the managers responsible for them ensure that services are available so that people are not reliant on them when they should be elsewhere in the NHS system. However, exposing civilians to the glare of publicity is wrong and moreover, unnecessary.

I believe that the likelihood that the individuals cited in this story may be identifiable to their friends and neighbours, and as such, the release of their personal data is unfair – UHSM should have used Section 40 of the FOI Act to refuse to disclose this information on the basis that to do so would breach the Data Protection Act. I also believe – as Ben Goldacre said – that disclosure is likely to lead to adverse comment, and so Section 38 of FOI (which prevents disclosures that would endanger physical or mental health or safety) should also have been used to refuse. No matter how difficult and expensive some of these people might be, exposing them to shame and possible identification is a disgrace. It should not have happened.

Doctor knows best

Dr Clare Gerada, who was until recently chair of the Royal College of General Practitioners, has written an article for The Times about care.data, stoutly defending the scheme and its benefits for the public. The Times doesn’t give its stories away for free (a stance that they’re perfectly entitled to adopt), so if you want to read the article itself, you’ll either have to subscribe online or buy the newspaper like I did. Accompanying the comment piece is a short article in which she is quoted, perhaps less formally.

The article itself is familiar stuff. “We have nothing to fear” from care.data. Our data will be safe, secure, and used only for “proper and appropriate purposes”. Dr Gerada deserves credit for making clear that identifiable data will be shared outside the Health and Social Care Information Centre: she acknowledges that information will “not be anonymised at all times” because anonymised data only works in a limited number of circumstances. This frankness is refreshing, especially given the fevered Twitter commentary from NHS England’s apparently bewildered National Director for Patients and Information, Tim Kelsey, who still won’t admit that the exchange of a commodity for money is ‘selling’, or that pseudonymised data is identifiable. Only one statement in the comment piece really jars. Gerada describes the care.data leaflet as “asking if we would like to share our data”: we’re being offered an opt-out, and it’s unreasonable to finesse it as being an active choice.

I am also wary of the notion that “Part of the compact to get a universal, free health service is to allow data to be used to monitor diseases, plan services, and look at trends in old and news diseases”. The NHS is not free; it’s just free at the point of delivery. We pay for the NHS with our taxes. Even the poorest pay tax on their weekly shop and the idea that we also have to pay for the NHS with our data is not part of any deal I have ever seen. A much wider debate is necessary on that before we can let that remark slide. Nevertheless, if you want to see the case in favour, Gerada’s comment piece is a well-informed and persuasive rehearsal of the NHS England position. It’s interesting that nobody directly involved in care.data has been able to put the case as fluently and I have no hesitation in recommending it to you.

However if you do read it, permit me to suggest that you read the separate article, and compare what Dr Gerada says when commenting in the Times with what she says on Twitter. She opens her article with the mournful statement that we live in an “Age of Mistrust”. Perhaps one of the reasons is that those we need to trust turn out to have such clunking feet of clay.

Even the comment piece is misleading when put into context. Gerada states that those who do wish to avoid the “very low risk” of re-identification “should be allowed” to opt-out. That’s very generous, except Gerada doesn’t really believe it. On February 3rd, she said on Twitter “I dont think we should be able to opt out – but hey-ho”. She also said on 26th January: here and 25th January: here. There are other similar statements. I can’t find any evidence of a Damascene conversion in advance of her appearance in The Times. Gerada’s comment piece is designed to be reasonable and soothing but her views are actually much less sympathetic to any notion of choice. Should I trust someone who isn’t straight with people about what they really think?

This is bad enough on its own terms, but when you move to the comments in the accompanying article, it gets worse. Gerada is quoted as describing GPs who are opting their patients out unless they choose to opt in as ‘patronising’. She goes on to say that “It is not right for GP practices to make this decision on their patients behalf”. Gerada doesn’t think we should have a choice, but describes those who do as ‘patronising’. It’s an interesting choice of word, as when I used it on Twitter to describe Gerada’s approach to care.data, she responded that she was “just opening up a debate. Will not continue now as clearly wrong”, and later observed that calling people patronising was evidence of “how easy it is to then become personal in the debate- hence squashing further debate.” I shouldn’t call her patronising, but it’s fine for her to smear her fellow GPs with the same word.

Perhaps I overstep the mark if I say that Dr Gerada has a patronising attitude towards her fellow citizens. It may be too much to assert that her article for the Times was hypocritical. It won’t help the ‘debate’ very much if I do. However, how helpful, how constructive is it for Gerada’s to summarise her opponents in this way: The Times quotes her as saying that the act of opting out is ‘selfish, a bit like people who don’t give their kids MMR for herd immunity’. Perhaps you can think of a comment more precisely designed to squash a debate, but I’m dry for now.

Those of us who say no are not simply concerned for our privacy and keen to be given a choice. We’re not even “conspiracy theorists” (which is what she called us earlier this week). We who say no are dangerous. Our decision to opt-out actively puts our fellow citizens at risk. Like Tim Kelsey’s loaded statement on the Today programme earlier this week that those who “do not trust the NHS” to protect their data can opt-out, Gerada’s comments on Twitter and to the Times journalists shows where we’ve got to: Us Versus Them, NHS Fundamentalists versus paranoid heretics. We’re through the looking glass, as one wise person put it to me, and now all that matters is faith. Do you believe in the NHS, or are you against it? All I need to do is finish my blog with a hysterical word like totalitarian or fascist – with due respect to Mike Godwin – and it just gets worse.

Like everything I have written on this subject both here and on Twitter, I doubt it will have any effect on your view of care.data. Either you already agree with me, in which case you will be even more convinced, or you don’t, and you will complain that I am making a personal attack on a respectable, dedicated public figure (needless to say, I have no doubt that Dr Gerada is a respectable, dedicated public figure, which is why I find her view of people like me so depressing). I cannot think of a single issue in my professional life that I have found more dispiriting than looking at this one. It’s become toxic and divisive. They don’t respect or trust Us, and We don’t respect or trust Them. There’s no hope of a resolution.

An intelligent, grown-up debate

The Chair of the Health and Social Care Information Centre, Kingsley Manning, wrote to the Guardian this week to ask for “an intelligent, grown-up debate” about the sharing of GP-held health data with the HSCIC, so that it can then be accessed by researchers of various kinds. This bracing proposition was almost immediately undermined by NHS England’s launch of a video in which a woman with a London-based Civil Servant’s idea of a Northern accent cheerfully exhorts us to Trust The Government while some fake-smurfs do an NHS jigsaw. Even in his own letter, Manning showns the kind of debate he really wants to have by whining about semantics: “The data will be issued on a cost recovery basis and not “sold”.” If Manning is unwilling to accept the plain meaning of common words and thinks we’ll be convinced by some pious plasticene, the “debate” will remain the hurricane of bullshit it has been since the beginning.

I’ve opted out of care.data and that’s that. It’s none of my business what you do (but I have included links on how you can opt out at the end, if you want to). If you have opted out, fine. If you haven’t and don’t intend to, then you’re either basking in the warm glow of playing your part in a grand enterprise to save the lives of your fellow citizens, or the spreading warmth you’re experiencing is NHS England pissing contemptuously on your leg. Time will tell. But I believe that many of the people on Manning’s side of the argument (which is what it remains) are hurling around nonsense to make their case, so here’s my contribution. There are four assertions that I have a particular problem with, and this is why.

1) We’re all nice people and we’re definitely not going to do shit things with your data

The NHS leaflet states “Records are linked in a secure system so your identity is protected.” It is pointless to be sarcastic about the claim that a government IT project will be secure and will work as intended. Nobody believes this, right? If you don’t think that it will be hacked, will fall over, will end up riddled with inaccuracies and be a tempting target for thieves, I hope nobody ever fills you in about Father Christmas. That’s not the problem.

The problem with the leaflet is the specific nonsense, rather than the general. It mentions only “approved researchers”, rather than insurance companies and other private sector organisations. We are told “We sometimes release confidential information to approved researchers, if this is allowed by law”. The entire care.data wheeze wasn’t allowed by law a few years ago, and now it is. We’re not talking about tablets of stone. They’ve create the framework and make these promises now – if NHS England or someone else want to change the rules later, you didn’t opt-out so you’re stuffed. Even those of us who opt out are warned that our data could be shared if “allowed by law”.

After Leveson, the press relentlessly argued against the principle of state regulation for fear of what a future authoritarian government would do with such a lever. The mechanism for access to GP data exists; insurance companies will already get access in their guise as ‘approved researchers’. How hard is it to imagine a future government ‘allowing by law’ access to this data by the police, financial services and insurance companies, and a whole range of others? Think about the pile of data from a police perspective: access to information about every citizen in the country, all aggregated in one place? Don’t mind if I do!

This is not going to happen now; but if you haven’t opted out, your data will be aggregated with everyone else’s in one place, just waiting one of those magic laws that made this possible in the first place. We’ve experienced an authoritarian, surveillance-obsessed government desperate to court the private sector in very recent memory – what would Blair and John Reid have done with this? 

2) You already do privacy invasive things to yourself, so you should let us do some

I remember sitting in a stuffy office six or seven years ago while a civil servant from the Department for Education (or whatever it was called then) cooed about the wonders of Contact Point (or whatever it was called then). When challenged about what parents would say – especially as they would be complaining to us the Council, not the faceless department – she was dismissive. All those parents have already got ClubCards –  what’s the difference? Roy Lilley played this (Nectar) card in his blog, bewildered about the fuss. You give your data away all the time, so what is all the fuss about? This is just like having a loyalty card.

Care.data is nothing like having a Nectar Card. Sainsburys have not given themselves the legal power to force us all to have a Nectar Card, and then tossed out a poorly handled, badly-explained opt-out which many people won’t actually notice. Even if you opt into having a Nectar Card, you can opt-out of the marketing and some of the data sharing, while still enjoying the modest discounts. Admittedly, like care.data, all loyalty cards are sold in a disingenuous way – they don’t reward loyalty but pay a below market-value price for data about your shopping habits. But they are entirely optional and you can shop in the relevant stores without even having one. Oh, and Nectar collects data about shopping, not data about your health.

I don’t think people should use Facebook, especially not in the way they spray every last intimate detail of their private lives there. I don’t think people should announce on Twitter that they are on holiday (because burglars). I think people should close their curtains when they get changed (thinking of none of my neighbours in particular). But that shouldn’t feed a sense of entitlement. Quite the opposite; the state should be encouraging its citizens not to overshare, rather than using it as ammunition for a data grab. One pro care.data tweeter told me that if I was concerned about my privacy, I should stop using the internet. That’s right, because cookies using my browsing habits to show me adverts for things I bought two days ago is exactly analogous to information about my health being extracted and shared under rules I didn’t agree to, for purposes approved by unelected and unaccountable people I have never heard of. It’s the same. I feel so stupid now that you’ve explained it like that.

3) People won’t misuse data because it’s illegal

Lilley also raises the scary penalties argument, one also adopted on Twitter by Geraint Lewis, and by Manning’s Guardian letter. As Lilley puts it: “Does it mean an insurance company that also provides care could obtain it for one purpose and use it for another?  If they did it would be a criminal and civil offence in law and someone would go to jail.” No breach or offence in DP is punishable with a jail term, and Lilley should have done his research before asserting this. And besides, the whole murder being illegal has been a roaring success.

Of course, you’re perfectly entitled to believe that commercial companies involved in this process will definitely not attempt to re-identify the individuals – assuming that they haven’t been given identifiable data in the first place – and furthermore, you are more than welcome to tell me with a straight face that Commercial Companies Don’t Do Bad Things Like That. Go on. With a straight face.

So back in the real world, for the criminal sanction to be used, firstly, the Information Commissioner would have to find out. Bear in mind, what commercial companies could do is not obvious or attention-grabbing; they could factor the data into already complex and multi-layered calculations about insurance, for example. People may see premiums go up, they may even be refused insurance altogether, but the companies are not going to admit how this happened and it will probably be impossible to prove. Even if the ICO had evidence – beyond a reasonable doubt – that the insurance companies were misuing the data, there would first be an argument about whether the data was personal at all, and even if the ICO made the case, it is technically impossible for anyone to go to jail because the punishment for a criminal breach is a fine.

Of course, the ICO could – again assuming by some unexplained set of circumstances that they find out – take action for a civil breach of the DPA’s first and second principles, something Lewis suggested that they would do. But the maximum current fine is £500,000, so assuming that the ICO enforced at the maximum level, it would still probably be worth their while. And lest we forget, the ICO has issued 45 CMPs, and only 7 have been against the private sector. They have never issued a CMP for a 1st or 2nd principle breach.

The ICO taking on massive private sector organisations with huge budgets, pursuing either criminal or civil enforcement that they have never attempted before in any context, wrestling with the slippery concept of pseudonymised data (which most people struggle to pronounce, much less understand), based on evidence that I have no idea how they would source: that’s what’s going to stop the misuse of data.

I’m reassured: you?

4) If you don’t like it, you can opt-out

I expect my opt-out to be temporary. I don’t believe the people who want to do this have any respect for my wishes, and at some point, they will change the rules. It will either happen because enough of us opt out now to skew the results, or because in a year or so, somebody in NHS England will be emboldened because nothing obvious has gone wrong.

I don’t say this because I think the people running this scheme are evil or conniving. It’s quite the opposite. It’s only because they’re not evil, only because they’re so convinced that they’re doing the right thing that they’re able to treat their fellow citizens with such disrespect. It’s the same mentality that allows charities to get overbearing drama students to bully people in the street to sign up to direct debits, despite the huge slice of the donation that usually goes upfront to the company the students work for. You knew that, right?

But we are where we are. Our most private data is taken without consent, and the best we get is a leaflet sneaked out with the takeaway dross and a patronising cartoon. Anyone who has opted out of the Royal Mail’s unaddressed mail deliveries won’t get the leaflet. UPDATE: as Doug Paulley pointed out to me, people living in care homes and shared accommodate won’t see the leaflet. Anyone who is sick of the endless tide of pizza menus and offers for Sky won’t notice the leaflet and will bin it without reading it. Anyone who reads it is told to ring or go to see their GP – that’s right, waste the precious time of a medical professional to ask their advice on a privacy-invasive wheeze that GPs didn’t ask for, and yet might be punished for if they don’t get right.

There is no “an intelligent, grown-up debate” here. At the stroke of a legislative pen, intimate details of every citizen who is not plugged in to what is happening will be taken and exploited (even if for good reasons) by an establishment clique. Even if it could be guaranteed that not one scrap of data would be lost or misused, such an audacious assault on a society’s privacy should only be contemplated with permission. And the possibility of asking us for consent has never been on the table. Not for a moment. Instead, the fine folk who are running this scheme have treated their fellow citizens like children; there is no attempt to persuade, just a decision that because they can do this, they will.

UPDATE: I ranted all the way through this and didn’t include two crucial things: the addresses of those advising you how to opt out. Look at www.care-data.info or www.medconfidential.org. I included a stamped plain postcard with my opt-out letter and asked my GP to send it back to me to confirm receipt. They were kind enough to do so. Some practices are offering opt-outs online or accepting them via email.

This is not fine

The Chief Executive of Brighton and Sussex University Hospitals NHS Trust has come out fighting. Having just received a record £325,000 civil monetary penalty for DPA breaches, Mr Duncan Selbie has declared that he doesn’t understand what is going on, and he will appeal the CMP forthwith. There is a small part of me that hopes he is right. If I ever get my wish to retire to the Flanders countryside to run a microbrewery, first brew out of the garage will be one called Schadenfraude. The spectacle of the ICO enduring an epic reversal would not be unenjoyable.

Mr Selbie may miss the Tribunal as he is leaving the Trust to take over a new quango called Public Health England (one can only hope he maintains the same high standards in his new role). Meanwhile, someone else will presumably step up to refute the ICO’s case with a fully-worked out contract signed by the Trust and its contractors, setting out exactly what security measures they were to employ, and how they deal with subcontractors. They will thrill the Tribunal with records showing that they knew exactly who the chap who spirited 252 hard drives out of his premises was, that their tight security was foxed only by means of a Mission Impossible rope trick, and the precision with which the Trust checked how their requirements were being carried out will make passing watchmakers weep with envy.

On the other hand, if the defence really is the current line of A Big Boy Did It And Ran Away, one can only fear for Selbie and the Trust’s brass neck when the scrap metal thieves get wind of it. For the record, when this one is resolved, my money is on the Information Commissioner popping corks from bottles called I Told You So.

The facts in the notice are these – and unless Brighton disputes them, they should follow their own corporate rules (two of which are ‘lead not blame’ and ‘solve not excuse’) and just pay the fine. The contract between Brighton and their main contractor SHIS had expired. In any case, it did not set out security requirements that SHIS have to follow, and does not prevent SHIS from using a subcontractor. Brighton apparently did not even know that SHIS used one. This suggests that when he came into their premises and took away at least 252 hard drives, Brighton did not know that he was a subcontractor – in a sense, they did not know who he was when he was in their building, taking away their patients’ precious data. No alarm bells range when the subcontractor was willing to dispose of thousands of hard drives unpaid. Even when the breach was first pointed out to them, the Trust was unable to recognise its true scale.

The ICO is not beyond making a mistake. If these are not the facts, they owe Mr Selbie and his Trust an abject apology. But if they are right, Mr Selbie’s claim not to understand why his organisation has been punished is remarkable and worrying. A third party with no contract was able to enter a Trust building and take hundreds of hard drives unnoticed, even though nobody really knew who he was. If the organisation was so reckless with its money, I doubt he would be so bumptious. However, this apparently complacent approach is effectively the same thing. No amount of shroud waving about what they could have spent the penalty money on makes any difference. The cost of avoiding this shambles altogether would have been tiny by comparison. The cost of creating a framework sufficiently robust to prevent the ICO from being able to argue that the incident could have been prevented – even if it had happened – would have been even smaller.

Here’s what they needed to do:

  • Have a clear contract with their contractor, putting them under obligations to look after personal data properly
  • Ensure that the issue of subcontractors was properly dealt with – either forbidding them or requiring any subcontractors to be put under the same obligations
  • Obtain evidence periodically that the above was being complied with

Anybody could have done these things, and every day, thousands of organisations large and small do just that. If they had done these things, the CMP would be misconceived. If they haven’t done these, the incident is appalling and their reaction is even worse. Any attempt to appeal without evidence of the proper contracts and checks in place – especially as an appeal will require them to pay for legal representation and commit further time and resources – would be a scandal.

An organisation must be allowed to defend itself robustly when the ICO comes calling, especially as some of the recent CMPs have focussed on mishaps that could happen in any organisation. I’m not convinced that having work documents in your bag in the pub when it is stolen should carry a £100,000 price tag. I think the Commissioner sometimes hits another CMP target by over-egging the link between an email sent to the wrong place and a missing policy that may not have made any difference. But the account given of Brighton’s apparent inaction distinguishes it from many of the other CMP cases. It’s why the ICO’s blinkered focus on security breaches is sometimes absolutely right.

If these facts are correct, this punishment is entirely justified. It sounds like a systematic corporate failure, not a one-off cock-up, precisely what the CMPs were designed for. Having inadequate contracts that allow uncontrolled strangers able to access the most private and sensitive of health information is very different to sending an email to the wrong recipient. I enjoy a bit of ICO-bashing more than most, but they have it exactly right here. Mr Selbie should show real leadership, by apologising for this shambles and taking his medicine.