> We don't mind giving up our data, especially for the NHS, if it remains between the NHS and the patient, no third party data mining without consent.
Speak for yourself.
For starters the NHS is not actually a single entity, there's NHS England, NHS Wales, NHS Scotland, and HSC NI.
Next off, your local GP Practice is typically a Partnership (i.e. a commercial organisation) contracted by the local "NHS" to provide services (GMS Contract), likewise your Dentist (GDS Contract) and your Optician (GOS Contract). Additionally, both before COVID and especially since then, some services (i.e. minor surgery) may be contracted out to private clinics/hospitals (again commercial orgs). Then there's Independent Hospices (Charities) who interact with "the NHS"...
So your personal data is highly likely to already been passed to (commercial, independent sector, and charity organisations) third parties.
What I personally *do* mind is "giving up" my data to the "NHS" where the purpose(s) that it is "given up for" and the organisations that it is "given up to" are likely likely to change/expand (both in terms of the purposes it is used for and the orgs that will have access to it) over time without adequate public notification.
A realistic example that I'm intimately familiar with: the Northern Ireland Electronic Care Record (NIECR) - launched in 2013 with "some" publicity where personal health records would be shared between all NI Hospital Trusts, all NI GP Practices, and a handful of other organisations (so approx 350 orgs in total) *only* for "direct care" purposes. Spin forward to the present day and there are now approx 1,000 organisations involved in the NIECR sharing and the types of "direct care" uses have greatly expanded (they also seem to have considered on several occasions using the data for research and other purposes).
Were the general public notified about the various phases of expansion of the NIECR's functionality and orgs involved since its launch in 2013? Short answer: no!
In summary, once your health data is shared, especially into a "central store" (such as the NIECR system), then it's more or less impossible for it to be unshared. Your GP Practice may be the Data Controller for your health records (unless you live in Scotland where it was changed several years ago so that your GP Practice *and* the local Health Authority/Trust are Joint Data Controllers) that they hold but once they share those health records with other parts of the "NHS" they then seem powerless to control what happens to those records.
BTW anywhere I mentioned "GP Practice" above I mean "the GP Practice's contract holder" as a GP Practice is effectively just a "trading name" where a Partnership (or in some cases a Limited Company) is the legal entity that signed the GMS Contract with "the NHS", is the Data Controller for the practice's health records, and actually runs the Practice etc.
> especially for a USA company, they have bad track record for privacy, playing fast and loose with rules and thinking they above laws
And you think the "NHS" is any different? What about the row over NHS England trying to push ahead wih GPGDR as an example: https://www.theregister.com/2021/05/13/nhs_data_grab
In the case of the NIECR I have found evidence of unlawful actions by HSC NI organisations on an "industrial" scale since 2013 right up to the present day - no Data Sharing Agreement signed between the Joint Controllers prior to launch or since, no Data Processing Agreements (or equivalent contracts) in place between the Joint Controllers and "engaged" Data Processors (DPs) for multiple years and then when belatedly DPAs were signed (by DPs only, no evidence that any/all of the Controllers signed) they didn't meet the GDPR *requirements* for DP contracts and so are invalid, despite the NIECR being a "Joint Data Controller" activity its actual decision making has been performed by a NIECR Steering Group consisting only 5 of the Joint Controllers (out of approx 350) plus a couple of orgs who are neither Data Controllers nor DPs (and so cannot lawfully make Data Protection-related decisions), plus one of the Data *Processors* - yupe a DP is involved in making Data Protection related decisions regarding the NIECR - something that a DP *cannot* lawfully do.
Biting the hand that feeds IT
