back to article Conflicting messaging overshadows NHS Digital's attempts to inform public about patient data slurp

The NHS body responsible for delivering IT strategy has struggled to ensure patients understand that medical data held by their GPs will be copied into a central database to be shared with third parties unless they opt out by 23 June. Earlier this month, NHS Digital said GP medical records in England would be collected via a …

  1. Pascal Monett Silver badge

    "We do not sell data. We only seek to recoup costs"

    And how do you do that if you do not sell data ?

    This whole mess looks to me like there are too many people in charge of "informing" the public. Each of them inform on their little circle of oversight, without any coordination whatsoever.

    So it's a typical UK Gov project. Everything's fine, then.

    1. Mishak Silver badge

      Exactly...

      They don't sell it, they just charge you to take it away.

      Umm...

    2. Chris G

      Re: "We do not sell data. We only seek to recoup costs"

      The first thing I thought too.

      The description of why they are extracting everyone's data is also deliberately misleading, some of what they say may help to support or improve healthcare in some way but at no point do they make clear, the data is being passed on to third parties.

      Those third parties may not be a part of the Health Service and also may not be limited as to what they can do with the information.

      1. ThatOne Silver badge

        Re: "We do not sell data. We only seek to recoup costs"

        > The description of why they are extracting everyone's data is also deliberately misleading

        Obviously they can't say "our generous friends asked us to provide them with all that juicy PI we have lying around unused"...

        Improve healthcare is a vague goal, you can shoehorn targeted spamming into it just as well. As for "science", the main excuse, I'm pretty sure there might indeed exist a couple statistical studies needing to cross-reference national data and check for correlations; But they certainly aren't the cause of all that trouble, usually when a scientists asks for something he gets simply told off.

        The scale and effort show there are big and wealthy interests behind it. The (literally) poor scientists, who might or might not take advantage of that new data trove, are definitely not the cause of all that hassle.

        1. John Brown (no body) Silver badge

          Re: "We do not sell data. We only seek to recoup costs"

          "The (literally) poor academic scientists, who might or might not take advantage of that new data trove, are definitely not the cause of all that hassle."

          FTFY. The rich scientists work for the big pharmaceuticals companies, and those companies have money to spend and profits to make.

          1. ThatOne Silver badge
            Thumb Up

            Re: "We do not sell data. We only seek to recoup costs"

            > FTFY.

            Thanks. I obviously meant the academic scientists, the mercs don't have money problems.

    3. Anonymous Coward
      Anonymous Coward

      Re: "We do not sell data. We only seek to recoup costs"

      Let's ignore for a second whether the entire thing is legal, sensible, and/or batshit crazy.

      It is quite Simple. The charge is an admin fee, no additional charge is added on for the actual data. This is consistent with the claim.

      Think of it as postage and packing.

      1. TRT

        Re: "We do not sell data. We only seek to recoup costs"

        And the fee for allowing permission to sub-license?

      2. John Brown (no body) Silver badge

        Re: "We do not sell data. We only seek to recoup costs"

        "The charge is an admin fee, no additional charge is added on for the actual data. This is consistent with the claim."

        How much does that admin cost? The "management" need their Ferraris!!

        Look what happened to the non-profit Nominet and their "admin" charges!

        1. Anonymous Coward
          Anonymous Coward

          Re: "We do not sell data. We only seek to recoup costs"

          ...so they're providing valuable IP for a nominal fee. That IP can then be used for research which will result in new treatments. So far so good but at some point that's going to be used by non-UK drug and medical services suppliers who, of course, have no intention to profit from it...

          The aggregated NHS patient database is an extremely valuable national asset the US drug companies among others would love to get their hands on so they can develop treatments to sell back to the UK and the rest of the world. I'd rather the value of that resource was used for the benefit of UK patients, UK research teams, the NHS and UK medical companies.

          I wouldn't have a problem with fully anonymised data being sold outside UK but in that case it must be at a market price not just P&P and properly anonymised in such a way as to ensure that it can't be cross referenced with, say Facebook profiling data so I'd start getting adverts for adult diapers and find nobody wanted to sell me travel insurance.

          The big problem is that the NHS and UK government both have a proven world-class history of utter incompetence in respect of IT and negotiate through rose-tinted spectacles. I just do not trust them to act with intelligence, competence or integrity.

          Have Dido Harding or Russell Haworth applied to head up the GPDPR yet? Sounds like they have the requisite skill set, experience and track record...

          Anyway it's all immaterial, the database will be hacked, leaked and made public for all and sundry to do whatever they wish with it and those guys wont have any scruples about personally identifiable information.

    4. Anonymous Coward
      Anonymous Coward

      Re: "We do not sell data. We only seek to recoup costs"

      If they only charge the admin fee to get people the data then that seems worse. If you're going to expose your citizens' data, at least make some money for the NHS!

  2. Anonymous Coward
    Anonymous Coward

    *cough*

    What's in the DPIA ? Assuming they've done one.

    1. Ben Tasker

      Re: *cough*

      On their mythbusting page, they claim the DPIA will be published soon.

      A cynic might suggest publication will happen after the 23rd of June though.

  3. Lon24

    Come on Reg

    Where's the one click opt out link?

    1. tfewster
      Stop

      Re: Come on Reg

      https://www.nhs.uk/your-nhs-data-matters/manage-your-choice/ - As published in the previous article ;-)

      1. PhilBuk

        Re: Come on Reg

        This doesn't inspire confidence:-

        --------------------------------------------

        Page last reviewed: 10 July 2019

        Next review due: 10 July 2022

        --------------------------------------------

  4. Bertieboy

    GDPR

    How does this square with GDPR which deals with personal data (and data does not get more personal than this)? In my naivety, I thought all data requests had to be opt-in not opt-out so surely this drives a coach and horses through GDPR! Perhaps this appalling data grab should be brought to the attention of the EU data commissioner - it may be that this egregious theft of user data influences their decision on UK data adequacy and whether the UK can still operate data transfers to and from the EU.

    1. Anonymous Coward
      Anonymous Coward

      Re: GDPR

      Probably under the "Legitimate Interest" excuse.

      1. Anonymous Coward
        Anonymous Coward

        Re: GDPR

        Pete B is correct - it was mentioned in a previous article on El Reg.

        Anon cos I work in Health and we're not supposed to diss this sort of idea :-(

        1. Kane
          Thumb Up

          Re: GDPR

          "Anon cos I work in Health and we're not supposed to diss this sort of idea"

          Diss away my friend, diss away!

    2. Anonymous Coward
      Anonymous Coward

      Re: GDPR

      Depends on the grounds, they might be claiming "public task" etc

      Health data is rarely covered by consent in the UK as it would open the door to people having the right to delete - resulting in millions of additional test each year as people request their medical record is erased (we still have people asking for this anyway).

      NHS Digital only ruins, sorry runs NHS England though as far as I'm aware so guess NI, Wales and Scotland held data won't be included as a result.

      I do wonder if people who have visited from abroad and had to use a GP will be included though.. probably shouldn't be

      1. Anonymous Coward
        Anonymous Coward

        Re: GDPR

        Good lord, don't let anyone at NHSE hear you say NHS Digital runs NHS England. They are two very different camps and there is a hell of a lot of politics / arguments goes on between them.

        (pedantry aside, yes NHSD is a body that only applies to the NHS in England.)

  5. Spiz

    Sweeping under the carpet

    Just phoned my surgery to ask about this and the best way to opt-out of the Type-1.

    They didn't know anything about it.. Surely something of this scale should be distributed to everyone, especially people who pick up the phone?

    Oh no, that's right, they just want to plough ahead with the minimum of fuss from pesky individuals who value their privacy.

    1. John Brown (no body) Silver badge

      Re: Sweeping under the carpet

      "Just phoned my surgery "

      And someone actually answered? Not an engaged tone or answerphone? Wow!

      Seriously though, GP surgeries are generally pretty busy these days and I doubt that non-medical admin stuff is not high on their priority lists right now. Someone in Government probably thinks it's a good time to bury bad news.

  6. Anonymous Coward
    Anonymous Coward

    We do not sell data. We only seek to recoup costs

    The lady doth protest too much, methinks

    1. Dan 55 Silver badge

      Re: We do not sell data. We only seek to recoup costs

      Have you seen the NHS' pitiful budget lately? I guess this is where the promised £350 million a week is going to come from.

  7. what-where-when

    Almost impossible to opt out

    I have opted out but it's very difficult for most people to do so.

    A. Almost no one knows that this is happening

    B. Of those that do most won't understand or, based on social media attitudes to privacy, care about the true implications.

    C. Even in this day an age most people can't actually navigate the internet very well.

    1. Sel

      Re: Almost impossible to opt out

      How did you do it?

      1. Anonymous Coward
        Anonymous Coward

        Re: Almost impossible to opt out

        I suppose the answer is: 'carefully' ;)

  8. Anonymous Coward
    Anonymous Coward

    I wonder if insurance companies will have access to this data? This would be mana from heaven for them, to be able to target area's very specifically with different rates for insurance based on health data. If the NHS sells it for that sort of purpose they are scumbags.

    Also, all those cosy assurances about the checks and audits they're supposedly going to carry out, will the results and the participants involved be on public record? Similar for the assured destruction of data records.

    1. TRT

      They would present it, of course, as LOWERING the insurance rates for areas that were healthier, the implication being that the see-saw tips both ways. They ALWAYS sell these things as being to reduce the amount people pay, which is of course utter rubbish.

    2. Syndrew

      Insurance companies had my data 5 years ago

      I went to my GP to get a jab to travel. I told them I smoked cigarettes as it seems that a puff on a cigarette at new year counted. 3 years later when looking for life insurance, I was told I was a smoker, this was 2015. It would good to have some metadata that travels with the data so that it’s origin can be determined and where it has gone and can’t be used without it, just like a blockchain.

      1. ThatOne Silver badge

        Re: Insurance companies had my data 5 years ago

        Nonsense, the data is only used to support the assumptions they want to make about somebody: In your case it was "heavy smoker, increased risk, pay more".

  9. Bored & Insane

    Dear NHS, fek off. Thanks.

    Signed, pretty much everyone.

    When even the fekkin blind guy can see the Mount Olympus of problems with what you're planning, what does that tell you?

    (Yes, this is ShadowSystems. My temporary new handle reflects my current mood. I think someone has made a mistake down at the chemist's & my normal dried frog pills aren't being formulated properly.)

  10. Cragganmore

    Link to opt-out form

    It was quite easy to do - just need your name, DoB, NHS number or post-code - then it asks for email or phone to verify.

    https://digital.nhs.uk/services/national-data-opt-out

    1. Anonymous Coward
      Anonymous Coward

      Re: Link to opt-out form

      Even with my NHS number it says I don't exist. Oh well paper form it is then.

      1. TimMaher Silver badge
        Trollface

        Re: Link to opt-out form

        Well you don’t exist do you?

        You posted as @AC

      2. ThatOne Silver badge
        Devil

        Re: Link to opt-out form

        > it says I don't exist

        You didn't expect them to make it simple, did you...

    2. Dan 55 Silver badge

      Re: Link to opt-out form

      Not that easy. You have to opt out at national level (that link) and at GP level. See previous article and comments.

      1. ThatOne Silver badge
        Devil

        Re: Link to opt-out form

        Not to mention the secret website where you need to confirm you really meant it...

        As I said further up they won't make it easy, because if everybody opts out, their database loses all commercial value.

  11. Andy E
    FAIL

    Confusion everywhere

    I remember reading that the data was anonymised at the point of collection but after reading through the NHS Digital pages I'm beginning to doubt this.

    There is no clear simple statement to say that the data they want to collect for this new research service is anonymised or its not. Its the anonymisation bit that's important here.

    1. Ben Tasker

      Re: Confusion everywhere

      On the mythbusters page (https://digital.nhs.uk/data-and-information/data-collections-and-data-sets/data-collections/general-practice-data-for-planning-and-research/advice-for-the-public) it says that it's psuedonymised rather than anonymised, and that they'll only reverse that and attibute data if there's a lawful basis to do so.

      One of the examples they give is so that researchers can contact victi...patients and ask them to participate in a trial.

      > We do not collect patients’ names or exactly where they live. Any other data that could directly identify someone, for example their NHS number, full postcode and date of birth, is pseudonymised before it leaves their GP practice. This means that this data is replaced with unique codes so patients cannot be directly identified in the data which is shared with us. The data is also securely encrypted.

      >

      > We would only ever re-identify the data if there was a lawful reason to do so and it would need to be compliant with data protection law. For example, a patient may have agreed to take part in a research project or clinical trial and has already provided consent to their data being shared with the researchers for this purpose.

      Which, let's be honest, means at some point it's going to get re-associated by accident

    2. NetBlackOps

      Re: Confusion everywhere

      As research at such fine places as MIT has proven, time and again, anonymization or psuedo-anonymization as the NHS is stating, when combined with other publicly available datasets is easy to reverse, so any guarantee is less than worthless. It's malicious..

      Having spent decades in AI/ML and worked with these datasets on the left side of the pond, I fully expect that the results from the private companies aren't going to be effective. There's a whole branch of mathematics that need to be drawn on, which no researcher has used to date save myself, to come up with working models with better than .99 accuracy required in a medical context. Still, I'll be waiting with bated breath to see what garbage results they achieve. IBM, for one, has form here, not just Big Pharma.

  12. steelpillow Silver badge
    Devil

    Machiavelli's political handbook, Chaper One, Paragraph One.

    Always make self-contradictory statements. Then make more that contradict them. That way, you can do what the fuck you like. When challenged down the line, you can point to both the fact that you did say the right thing at the time, and also to the fact that you gave people plenty of warning of what you intended.

  13. hoola Silver badge

    Simple Solution

    Maybe the simplest solution (not that anyone will do it) is to reset the current permission as it is no longer valid to a default of "opt out".

    Now that would stop these knop jockeys dead in their tracks because all that tasty data to be slurped would not be available by default. I just find it astounding that anyone deems it acceptable to have a significant update to data sharing that most people do not know about with a default of status quo ( I assume) or worse opt-in.

    For the majority of the population this is simply beyond them to figure out.

  14. JohnMurray

    Actually, your opt-out matters not.

    Your data can still be used in research/planning, even if you opt-out, if information that can identify you is "removed".

    Your confidential patient information can be used in a small number of situations, such as national statistics.

    In an emergency where the safety of others is affected.

    The NHS collects confidential patient info from NHS trusts/local authorities/private healthcare providers, providing care to NHS patients. Research bodies can request access to that information.

    The only exclusions noted are that marketing and insurance can have no access......but given that an increasing amount of healthcare is via USA companies.....

    All that came from the NHS App.....

  15. Anonymous Coward
    Anonymous Coward

    Seriously?

    FFS - it actually says (https://www.nhs.uk/your-nhs-data-matters/where-your-choice-does-not-apply/) "Information about your health care or treatment might still be used in research and planning if the information that can identify you is removed first." So you effectively can't opt out. There are numerous other get-out clauses here too.

    It has been shown many times that "anonymised" data can often be de-anonymised, as it doesn't take many data points to make the data unique or near-unique. And I have little confidence that there will never be a data breach.

  16. Anonymous Coward
    Anonymous Coward

    Where your data is stored - apparently NOT in the UK!

    Browsing through https://your-data-matters.service.nhs.uk/privacynotice tjhere is a paragraph "Where is your data stored" which states:

    "We store your data on secure cloud servers in the European Economic Area (EEA)."

    As the UK is not in the EEA (as defined in the link) this suggests the data is NOT held in the UK!

    1. Dan 55 Silver badge

      Re: Where your data is stored - apparently NOT in the UK!

      It suggests they haven't updated the privacy policy since last year (but probably longer), i.e. it's not worth the bog roll it's printed on.

  17. Robert D Bank

    What really fucks me off is that all the info you have to provide on these opt out forms is EXACTLY what could be used to link you to the medical records. This whole thinking really stinks, like the arseholes that came up with this scheme.

  18. This post has been deleted by its author

  19. Anonymous Coward
    Anonymous Coward

    BBC R4 Today

    NHS Digital just had someone on Radio 4 defending this against ‘not very good’ probing. You could hear the nervousness in his voice as he explained what would happen to the data. Just been trying to re-listen to it but BBC Sounds is not making that easy. Talked I think about encryption of data in transit but I think I heard that it wasn’t when at rest and that identities were associated with data (hence my trying to replay that part)! And of course he had to admit that all the sensitive data you could imagine (sexual health, treatments etc) are included in that data - not one mention of private companies being able to gain access of course.

    Also told the interviewer that they’ve made all the details available to GPs to allow them to inform their patients to include posters etc - knowing full well almost nobody has been near a GP office for the last year or so!

    Disingenuous untrustworthy bastards!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like