Re: Colour me confused
"- you have the right to withdraw consent on data currently stored about you"
That only applies where "Consent" is the lawful basis/lawful condition used for the processing of the personal data. As the organisations in question claim to be using "Public Task" as the lawful basis for processing (sharing) then, in their minds, there is no consent (for processing) that can be withdrawn.
Part of my complaint to the ICO is that the organisations originally used "Consent" and then in mid-2019 (unlawfully) changed to "Public Task". The organisations' response was that they always used "Public Task". The lead org has recently admitted to ICO that there has been a "misunderstanding" by all orgs as to the lawful basis in use since the start of the sharing. If the ICO is unwilling to look into the timeframe before GDPR then how can ICO satisfy themselves as to what the lawful basis/conditions actually were at the start and without determining this then how can they then determine whether the lawful basis/condition did change or not (and if any change was lawful).
"- if the data is no longer necessary purpose, or you have withdrawn consent, you can ask for it to be erased"
Again consent is not relevant *if* it was not the lawful basis/condition used. That is one of the issues at dispute in my case. The orgs claim that as they are using "Public Task" as the lawful basis then the Right to Erasure does not apply.
Regarding erasure if the data is no longer necessary, this would be covered by GDPR Article 5(1)(e) Storage Limitation. As I have had a locked record/'Access' opt-out in place since the start of this sharing system then my personal data has never been used for the purpose it was shared for (the audit logs I obtained show all attempts to access my data were blocked due to lock/opt-out) and so, again, part of my complaint to ICO is that the orgs have breached Article 5(1)(e) by the continued storage of my personal data as it has not/cannot be so used.
"Your other rights are to be able to know what they are doing with your data, who they share it with and what for, to be sent copies of the data they have on you, and you can ask for details on how they are ensuring the protection of your data."
I'm well aware of what my others rights are under the (UK) GDPR - I've read the relevant sections many many times.
"If you think that the protection is not sufficient, this could be another way say they are not legally handling your data."
Again another aspect of my ICO complaint is regarding one of the organisations' security of handling my personal data - when they transferred my (special category) health data via encrypted ZIP files on several occasions to myself and to my GP Practice they breached their own security procedures (e.g. using short predicatable passwords of 6-8 chars made up of Initial single capital letter, 5-7 lower case letters, and then single digit with the letters forming local placenames. On at least 2 occasions they also separately emailed encrypted ZIP files and the password for decrypting these files to the *same* email address at 1 minute intervals. Also they're using the "original" ZIP file encryption which has been known to be unsafe for 15-20 years)
"also maybe 3rd parties could be another route."
Which 3rd parties had you in mind?
I've tried emailing the Health Minister, raised the matter with one of my local politicians, opened 2 cases with ICO, talked to MedConfidential, talked to a solicitor regarding taking legal action myself, approached several press organisations (including The Register)...