ICO complicity with organisations breaking data protection law
The ICO are not just a waste of space as "enforcer" for Data Protection law, they are actually complicit with some organisations' which continue to break data protection law on a large scale.
In the past few weeks ICO have really shown their contempt for Data Protection law.
[Background Info: the Northern Ireland Electronic Care Record (NIECR) is the sharing of personal health data between 500+ organisations in NI (including all GP Practices, Community Pharmacists, Community Optometricists, and Independant Sector health orgs i.e. private hospitals) by creating a central "database" that they all have access to. The NIECR central system is operated by Business Services Organisation (BSO), a "arms-length" body of the Northern Ireland HSC (aka NHS NI). NIECR has operated since July 2013. It is similar to the proposed NHS England GPDPR sharing that was delayed last Spring after public complaints]
Below is a quote from a BSO email to ICO last month which confirms that all Northern Ireland GP Practices have, since NIECR's launch in July 2013 to the present day, not actually agreed to/signed the NIECR Data Sharing Agreement (DSA) that makes any such sharing lawful.
BSO also gave a vague "intention" to ensure that GP Practices actually sign the DSA at some, *undefined*, future date but meanwhile GP Practices will continue to share personal health data unlawfully with NIECR in the meantime.
BSO to ICO:
> The other issue that we discussed briefly was the mechanism for seeking the agreement of GPs for the revised Data Sharing Agreement. When the Data Sharing Agreement had been drafted we had sought to get a signed acknowledgement from each GP practice of the new Data Sharing Agreement. This proved a difficult administrative processes, given the number of individual GP practices. I would acknowledge that this was never followed through from our side. We will seek to create a more robust tool for seeking GP agreement when we have finally agreed the Data Sharing Agreement revision that is currently under way. This is required both to ensure that GP Practices are aware of their responsibilities as outlined by the Data Sharing Agreement. <
The ICO case officer's response, after receiving BSO's email, to me regarding this aspect of my complaint was:
> BSO has confirmed to the ICO that when the data sharing agreement had been drafted, they had sought to gain a signed acknowledgement from the GPs involved; however, this proved to be a difficult task and was not followed through. That being said, the organisation has advised that when the revised data sharing agreement has been agreed upon, they will create a tool in which they can seek GP agreement.
With this in mind, we do not intend to take any further action at this time with regards to this. <
So ICO have proof (a clear admission) that since July 2013 to the present day no GP Practice in Northern Ireland has ever agreed to/signed the NIECR DSA to make their sharing of health data lawful despite their sharing of said data ocurring on a daily basis for *9 years* and ICO is going to take no action!
BSO have given a vague "commitment" that NIECR will attempt to come into compliance with Data Protection are some undefined future but will continue operating as before in the meantime.
How big a breach of data protection law has to occur before ICO will actually take any action????
In the same email to ICO quoted below is BSO also acknowledging that (all agreed versions of) the NIECR DSA have never defined any lawful basis (or lawful condition) for the sharing of personal data. BSO has attempted to "read between the lines" of the DSA to then claim *last month* which lawful basis was intended from the start of NIECR in July 2013 and ICO have accepted BSO's blatant mischaracterisation of the DSA.
BSO to ICO:
> Also, within the body of the DSA, in Paragraph 4 NIECR Information Governance Model, it states that the key principles to be applied to the processing of data are "that the use of NIECR is for direct patient/service user care only" and that "information is accessed when there is a clinical/caring relationship with the patient/service user". While Public Function is not specifically mentioned it seems clear that the basis of processing was never intended to be consent. <
In order for the 360+ organisations who participated in NIECR at its launch in July 2013, through to the 500+ organisations participating in it currently, the DSA must clearly state all lawful bases and lawful conditions so that all participants are "on the same page" and have exactly the same understanding as to what they are *jointly* agreeing to.
The ICO case officer's response, after receiving BSO's email, to me regarding this aspect of my complaint was:
> With regards to the electronic processing of your personal data, it would appear that BSO originally relied upon Schedule 2(5) and Schedule 3(7) of the Data Protection Act 1998; and Schedule 3(8) on a case-by-case basis. Based on the information provided in response to this, we do not intend to take any further action at this time with regards to this specific aspect of your complaint at this time. <
So ICO's investigation into NIECR is a complete whitewash.
It is not that ICO are failing to do their job, it is that ICO are actively helping to cover up unlawful activity.