An IT system for £1
What could possibly go wrong?
The UK health department has republished its contracts with US spy-tech company Palantir, blanking out fewer sections, following a warning from legal campaigners. In February, the Good Law Project, a political non-profit company, said publication of heavily redacted contracts meant the public was "unable properly to understand …
From TFA: "where it is necessary for them to operate and maintain the FDP"
The words "necessary", "operate", and "maintain" are not defined in this (at least, not in the parts we can see). While this may sound like Bill Clinton saying, "define the word, 'is'", ordinary English word-meanings are stretched to the outer limits by solicitors, and thus must be specifically-defined in such contracts. "Common sense" has little effective place in the legal world.
Similarly, only under "the written instructions" from user organizations, which include national or local "instances." could (and likely-would) be interpreted by a solicitor as Palantir calling up some local provider, asking, "Can we use some data?", the local provider replying, "Okay," and then Palantir saying, "We'll send you a FAX. Please sign it and FAX it back," and the local provider saying, "Okay," and doing so. Said FAX from Palantir will be brief and non-threatening-looking, and will reference documents in Palantir's possession which will not be included in the FAX, nor ever seen by the local provider. Those referenced documents will say, effectively, that Palantir can do anything with the data.
And the UK's Electoral Commission. https://www.ncsc.gov.uk/news/china-state-affiliated-actors-target-uk-democratic-institutions-parliamentarians#:~:text=Separately%2C%20the%20compromise%20of%20computer,Electoral%20Register%20during%20this%20time.
"Separately, the compromise of computer systems at the UK Electoral Commission between 2021 and 2022 has also been attributed to a China state-affiliated actor. The NCSC assesses it is highly likely the threat actors accessed and exfiltrated email data, and data from the Electoral Register during this time."
"Only authorised users will be granted access to data for approved purposes, for example, NHS staff and those supporting them, such as administrators, bed managers or care coordinators, and staff in social care supporting the move from hospital care."
It is baffling that these kind of responses are accepted. It's a classic tautology and someone giving such crap as an answer should be sacked.
What are the criteria for being an authorised user and what are these approved purposes for starters.
What if to become an authorised user you need a brown envelope and another one to add your purpose to the approved list...
I suspect that these are the sort of people who do not know the difference between authentication and authorisation, and in practice, anyone who is authenticated, which probably includes everyone in the building, cleaners and all, will end up with authorisation.
The problem is, that they do not define criteria for authorisation, or whether such authorisation will be granular, and time limited. How will they deal with bad actors who gain authorisation but then abuse it? How will such data breaches be handled? How will they determine the scope of any breach, and what remedial action can or will be taken to protect the people whose data is leaked? What powers will they have to go after perpetrators of a breach, and endure leaked data is deleted? Not only within UK jurisdiction, but also US jurisdiction, and jurisdiction in other territories, including those of hostile governments, or where adequate data protection law or relevant treaties are not in place?
I don't get why this data is regarded as so valuable in terms of advertising drugs. Approaching 50-odd percent of the UK is obese and probably pre-diabetic or diabetic. The age profile is shifting to the right, people living longer with fewer kids on average. You dont need to be a genius to work out how to make money out of healthcare offerings here. I suppose it becomes more valuable in a fully privatised USian style system, where targetted ads interrupting the stream you are watching (and their 30-page disclaimers of possible side effects) are probably marginally more effective than blanket ads on broadcast TVs that we don't watch anymore.
Too bad the pre-packed food industry doesn't have similar possible side effect listings for the collection of E-numbers and sugar peddled as "food" in possibly the loosest sense of the word only.
They don't need to try. The Tories haven't fully privatised the NHS only because they know they lack the political capital to survive it, and right now they also no longer have the time so the fact that they won't survive anything doesn't matter. Only Labour can do the job - so it's lucky for the Tories that Kid Starver and his PHC-funded shadow health secretary Wes "McShitter" Streeting already fully intend to do it with no need for any external intervention.
TBF hes not wrong on Streeting.
No mainstream politician has the answer to funding the NHS because the costs are increasing year on year in line with an aging population, and the cold hard reality is that funding has to come from higher taxes.
Until Labour (maybe) or the Tories (no chance) break ranks and start talking about using taxes for adequate funding for a decent service the NHS is f*cked.
There's an element of this, and an element of the Tories deliberately making the NHS both more expensive and more difficult to access in order to justify pushing people onto private healthcare, in which a number of them have financial interests. It's the age-old story of "follow the money".
Examples include repeated management reorganisations, creation of QUANGOs to manage it ("NHS England" being the most recent incarnation), and policies around GP appointments such that GPs have to implement a system where you call them at 8am to maybe get an appointment in the next two weeks, but nothing today, unless it's an emergency, in which case you have to call again in the afternoon, and no appointments are "open" beyond that moving window. This is done in the name of "convenience" so that "everyone can get an appointment", but this is clearly not the purpose of that system.
Yes, there is genuinely a problem with an ageing population, and the obvious answer to this is preventative healthcare, which is the exact opposite of what the Tories want, because it is cheaper and more effective than the sort of privatised healthcare where they can charge a fortune for diagnostic tests, and lifelong treatments. Those snouts need to keep their trough filled.
I'm not wrong about Starmer either. He claims to want to make the NHS strong, but he's explicitly ruled out raising taxes or seizing the billions stolen by the Tories during the pandemic to lavish upon their donors for huge (and frequently unfulfilled) PPE contracts at ripoff prices. Instead he's talking about using AI to shorten waiting lists. This is not my opinion - it is a fact, and you can find it in transcripts of his speeches on the Labour Party's own website.
That said, you really don't need to look much past Streeting being funded by private health care initiatives and openly supporting greater privatisation of the NHS. Starmer's appointing him as Shadow Health Secretary - which most likely leads to him taking the cabinet post if Labour enter government - indicates clearly that this is also what Starmer thinks should happen. You don't give someone a job if you don't like the way they want to do it, do you?
No he hasn't ruled out reclaiming money lost to fraud.
And as for the not raising taxes... he doesn't need to, the tories have already raised them massively, he just needs to cut out some of the tax breaks which mean that the ultra wealthy don't actually pay their fair share.
What he does need to do is win the election.
To be fair to Starmer (and I do have some strong doubts about him), if he were to say, in the year of an election that he intends to seize the ill-gotten billions from various bad actors, how quickly do you think that they would decide to spend a small fraction of those billions on a disinformation campaign to discredit him?
His primary task, at the moment, is to unseat the Tory government. Major policies are not going to be made public until manifestos are published, to do otherwise would literally be giving ammunition to the opposition, as it gives them time to prepare attack lines. Expect not to hear any major policy announcements until an election campaign is underway.
I still have the creeping feeling that Starmer will disappoint us, however, this is due to the fact that our electoral system is fatally flawed with FPTP, so we are stuck with politicians who can win FPTP elections, not ones who can actually solve our country's myriad problems. It is saddening, yet completely understandable, that Starmer is also opposed to us moving to a system of PR, despite the majority of Labour members, delegates, and unions supporting it.
Only statistically. Human physiology being so complex and varied at the detail level, individual outcomes are essentially unpredictable with any certainty until there are already specific markers present, at which point it becomes diagnosis. (Just for example, even lifelong smoking doesn't guarantee you get cancer, and total abstinence doesn't guarantee you won't -- which is why we have screening programmes).
Of course, as it's a matter of statistics, an entire department will probably be created to stuff our medical records through ChatGPT.
Health insurance has to work differently, otherwise it's far too easy for coverage to be denied for any significant health issue. Have a heart attack? Your insurance company dropped you as a bad risk the moment you arrived at the hospital, and any other will disallow care related to that preexisting condition.
In the US, preexisting conditions are covered if the patient was insured for them (by someone else) at the time the condition was noted/diagnosed.
"In the US, preexisting conditions are covered if the patient was insured for them (by someone else) at the time the condition was noted/diagnosed."
As they are by BUPA in the UK... 35 years on and they're still covering, despite me being off book for several periods when my (varied) employers used different providers.
NHS England? Bah, mere amateurs, let me introduce you to HSC NI (aka "NHS Northern Ireland"):
So after several years of HSC NI trying to fix GDPR/UK DPA 2018 non-compliance for the Northern Ireland Electronic Care Record (NIECR), with the help of the ICO's NI Office apparently, the Department of Health NI wrote to all NI private Opticians (who do "NHS" work, i.e. "free eye tests") in October 2023 to get them to sign a "Northern Ireland Electronic Care Record (NIECR) Data Processing Agreement". That letter contained such fun statements such as:
"Each Community Optometry Contractor has always been recognised as a stand alone Data Processor within the definitions of the Data Protection Act".
What's with the word "recognised"? Either they're a Data Processor or they're not. In order to be a Data Processor they must have signed a contract together with the Data Controller(s) that meets the GDPR-defined legal requirements for such a Data Processor engagement to be valid. I'm hearing echos of "1984" ("we have always been at war with...").
"As such each Practice[sic] is required to sign the revised Data Processing Agreement."
I think instead of "Practice" they meant to say "Community Optometry Contractor". Details are important, folks... Also "revised Data Processing Agreement" - hmm, so "revised" implies there has been at least one previous version of a NIECR DPA in place with Data Processors - well in almost 4 years of digging into NIECR I've yet to see *any* previous DPA for Processors despite numerous FOI Requests. Also the "revised" DPA document sent along with that letter is "Version 1.0" dated "27th October 2023"...the "1.0" kind of implies there has never been a previous (non draft) version of a/this DPA. So is this a replacement DPA (in which case why replace rather than revise a previous DPA?) or a new DPA where no previous one existed? (in which case "revised Data Processing Agreement" are weasel words)
"It is important that this latest version is signed, and the relevant signature section is returned by Friday 10th November 2023."
"Please note that failure to agree acceptance to the DPA and return of same may call into question the legal basis for the Practice[sic] to continue to access NIECR."
Why might the legal basis for Opticians (companies) be called into question if they didn't sign this DPA by 10th Nov but wouldn't be called into question if they did sign by this date? What's so magical about the 10th Nov 2023? Why doesn't any alleged previously-existing DPA address any legal concerns? Have ICO actually told HSC NI "if you finally sort out this legal mess by 10th Nov we won't take any action"?
Also I note that the DPA only lists *some* of the Joint Data Controllers but purportedly points to a list of :
"The GP Practices listed at Find a GP practice | nidirect"
except the provided "Find a GP practice" URL is a search page for Practices, not an actual list of practices. The URL that I believe they intended to specify in the DPA is indeed a list of NI GP Practices, however it is "point in time" (continually updated) list - the contents of the list on the day a particular Opticians (company) signed the NIECR DPA is not likely to be the same if it is consulted 1 day, 1 week, 1 month, or 1 year later. Therefore how can the DPA signed by a particular Opticians represent a valid legal contract if the DPA *itself* (or Addendums to it) does not define *all* the parties to the DPA?
The organisations running the NIECR appear to think that DPAs are magical documents which, once signed, don't just cover (undefined) parties at the time of signing but also cover new (undefined) parties being automagically added from then onwards without any Addendums or equivalent to the signed DPA being required or for the Opticians to be informed of any new parties to the agreement they previously signed. In particular GDPR Article 30(2)(a) *requires* a Data Processor, in their Records of Processing Activities (ROPAs), to contain the details "of *each* controller on behalf of which the processor is acting" - it's a bit hard for a Processor (Opticians) to do this if the Opticians doesn't know who all the Data Controllers are at any point in time.
The provided DPA, despite the "help" of ICO's Belfast Office, also fails to include some information *required* by GDPR Article 28 to be present in such a contract, so therefore even when signed it's not a valid Data Processor engagement.
So the legal mess that is the NIECR continues...
> Isn't "practice" the normal spelling for the noun form?
It is spelt correctly, the reason I put the "[sic]" was mentioned directly below in my previous post: "I think instead of "Practice" they meant to say "Community Optometry Contractor"." This letter was obviously modified from a previous letter to GP Practices (a letter around the same timeframe when they had GP Practices, as joint Data Controllers, sign a "revised" Data Sharing Agreement to deal with "legal issue" of no DSA actually having been in place for the past 10 years that NIECR existed) and they forgot to replace some of the uses of "Practice" with "Community Optometry Contractor".
> Otherwise, uptick. I guess you have good reason for posting AC.
You mean other than wishing to remain anonymous? lol.
Lindsay (@ The Register) knows who I am as I contacted him (and had a phone call to explain things) almost 3 years ago hoping he'd write a story about some of this but he appeared to lose interest and I last heard from him in June 2021. If The Register still has any interest in writing some sort of a story around this (i.e. "Whole of Northern Ireland's populations' health data continues to be shared in legally non-compliant way between 600+ organisations after more than 11 years!") I've collected an ever growing mountain of related evidence.
In related news a well-known UK high street brand has admitted in a FOI Response that their Opticians "arm" (separate group company from their Chemists "arm") has being using the NIECR since October 2018 (5 1/2 years!) but they don't know what their data protection role actually is/has been (Data Controller or Data Processor) with regard to NIECR and have had no contract of any sort in place for this NIECR use... so they've effectively admitted they've breached GDPR on an ongoing basis for more than 5 1/2 years.
Their Chemists "arm" did indicate they started using NIECR in July 2021, that they're a Data Processor for this use, that they *have* signed a DPA (though this DPA suffers from many of the same problems as the Opticans one I mentioned in my earlier post and so I also believe it is not a valid Data Processor engagement contract per GDPR) in November 2023 (more than 2 years *after* they began acting as a Data Processor!), and that they did create a DPIA regarding their use of NIECR but are refusing to provide it to me:
"We consider the completed DPIA to be an internal document and commercially sensitive so therefore, do not considerate it to be appropriate to share with you as part of your FOI request. We are withholding this information under exemption ‘Section 43(2)’."
So their Chemists "arm" have also admitted that they've breached GDPR. There's no point me telling the ICO about any of this as I can't make a personal complaint myself (I have not used them for either NHS eye test or perscription services) and the ICO don't care about general reports of non-compliance apparently unless "sufficient" people make the same complaint.
Another small local opticians company repeatedly used the "non-answer answer" phrase:
"Information is not held which would inform a response to this question"
throughout their FOI Response to avoid admitting any non-compliance.
Normally with UK.Gov contract disclosures it hovers between 8->10 however in this case it's exploded and laying in pieces on my office floor.
What could possibly be so sensitive it needs to be redacted at all?
PS: El Reg needs to add a new icon to the library, of a bull taking a shit!