back to article Yet another UK government seeks to reform GDPR

The UK government has begun to introduce its latest update to data protection laws it claims will boost economic growth and public sector efficiency. The government said it expects it will keep the UK in line with the EU's GDPR. Critics, on the other hand, have said the legislation could affect current privacy protections, …

  1. Jason Bloomberg Silver badge
    Unhappy

    Tory-Lite

    "The Data Use and Access Bill weakens our rights and gives companies and organizations more powers to use automated decisions"

    Yes, indeedy. Meet the new boss - same as the old boss.

    1. Doctor Syntax Silver badge

      Re: Tory-Lite

      Not so much Tory-Lite, more Old School Labour. They have form on this. Next up, ID cards, no doubt.

      1. Roj Blake Silver badge

        Re: Tory-Lite

        Old School New Labour.

        1. Phil O'Sophical Silver badge

          Re: Tory-Lite

          Which is all we got from Cameron's Tories as well.

      2. UnknownUnknown

        Re: Tory-Lite

        In historical retrospect Government ID cards seem a bit of a quaint anachronism in lieu of 20 years of immigration and what the retailers/credit reference and tech companies have on you, and AI now scrape without any regard for GDPR and put into the AI blender:

        Esp. As passports, driving licences, NI cards and NHS/CHI numbers are required for many things as ID proof.

        1. Doctor Syntax Silver badge

          Re: Tory-Lite

          I havem't had a passport for years. I know people who've never held a driving licence and others who've given up driving. What's an NI card? And I don't know my NHS number, only been asked for it in connection with medical appointments but now knowing has never been a problem.

          1. David Hicklin Silver badge

            Re: Tory-Lite

            > And I don't know my NHS number

            Its usually on your payslip unless you are one of the idle rich

            1. Anonymous Coward
              Anonymous Coward

              Re: Tory-Lite

              > Its usually on your payslip unless you are one of the idle rich

              That would be your National Insurance number, not your NHS number/id. Those are 2 completely different things.

  2. Mike 137 Silver badge

    Insufficient

    "It said "vital safeguards" would remain in place to track and monitor how personal data is used"

    The primary purpose of the GDPR was not just to allow monitoring of how personal data is used, but to provide data subjects with control over by whom and how their personal data is used (and by far not just in the context of automated decision making). This was essentially sidestepped in the fortuitously aborted Data Protection and Digital Information Bill, and the same would appear to be the case in this bill. The problem is that abusing folks' personal data rights is so profitable.

    It's worth noting that the GDPR is not data law -- it's human rights law in respect of personal data, but I have it on official record that the UK govt (the last one at least) consider UK data protection law to be data law, not human rights law. Doesn't that say everything?

    1. Anonymous Coward
      Anonymous Coward

      Re: Insufficient

      > It's worth noting that the GDPR is not data law -- it's human rights law in respect of personal data

      A Northern Ireland-specific perspective: https://nihrc.org/publication/detail/nihrc-briefing-on-the-data-protection-and-digital-information-bill

      "2.8 that, as a fundamental right, the right to personal data protection would fall within the scope of “civil rights” under the Belfast (Good Friday) Agreement. Further, as an essential element of the right to respect for private and family life in Article 8 ECHR, any right to personal data protection afforded by EU law, by which the UK was bound on 31 December 2020, falls within the scope of the non-diminution commitment in Windsor Framework Article 2."

    2. abend0c4 Silver badge

      Re: Insufficient

      A recent article in The Guardian claimed that UK Biobank data had been misused for unauthorised "fringe" research. UK Biobank in turn refuted the claim.

      Whether it's true or not, the last lines of defence against misuse are the contractual terms between the various parties, which cannot put the genie back in the bottle, but volunteers donate their data knowing this (or they at least should know this). I think it's rather a different matter when people are having their data confiscated without their agreement given that any privacy breach is a one way street.

      1. Anonymous Coward
        Anonymous Coward

        Re: Insufficient

        > Whether it's true or not, the last lines of defence against misuse are the contractual terms between the various parties, which cannot put the genie back in the bottle, but volunteers donate their data knowing this (or they at least should know this).

        You're assuming that there are actually contracts (and therefore contractual terms) in place.

        In the case of the Northern Ireland Electronic Care Record (NIECR) launched in June 2013 *none* of the participant orgs ever signed the Version 1.0 Data Sharing Agreement (DSA) back then which clearly referred to "signatory organisations". Therefore there were no actual contractual terms in place between those (approx 370) organisations acting as Joint Data Controllers sharing the health records of the Northern Ireland population.

        A handful of participant orgs signed the Version 2.0 DSA in Q2 2017 (which re-labelled the signatories as Data Controllers in Common rather than Joint Controllers). Another handful of orgs emailed in "agreement" to that DSA (irrelevant as they didn't sign it and therefore were not signatory organisations) and the remainder (approx 360+) participant orgs neither signed nor indicated their agreement. So again no contractual terms in place between all the participant orgs.

        Over time more participants joined, yet neither those "new" orgs nor the existing orgs ever signed a newer DSA and so there was no contract in place between them.

        Last year a new DSA version was produced which apparently approx 5 of the orgs signed. Eventually in April this year 300 of the orgs were requested to sign this new DSA for the first time (almost 11 years after launch!) and only 2/3 of those had signed by late June. That same new DSA contained a "trick" where multiple organisations that had acted as Data Controllers for years were suddenly redefined as Data Processors instead (in part it appears as a way to "deal" with me pointing out that the 4 Hospices are not considered Public Authorities and therefore could not have lawfully been relying on "Public Task" as a valid lawful basis for the past 11 years like all the other orgs).

        > which cannot put the genie back in the bottle, but volunteers donate their data knowing this (or they at least should know this).

        Genie out of the bottle indeed. In my own case my personal health data was shared against my wishes by my GP Practice with the NIECR system and despite the ICO ruling that both my GP Practice and the central Health Service org running the system (my Practice's Data Processor) had both breached data protection law in failing to remove my personal data from the NIECR system the ICO decided to take no action against either org (not even to force them to remove my personal data from that system)...and so my personal data remains there.

        1. Doctor Syntax Silver badge

          Re: Insufficient

          "and so my personal data remains there"

          Did you write to NIECR to require them to remove your data, reminding them that this is your right and their obligation under GDPR?

          1. Anonymous Coward
            Anonymous Coward

            Re: Insufficient

            > Did you write to NIECR to require them to remove your data, reminding them that this is your right and their obligation under GDPR?

            There is no NIECR organisation to write to (NIECR is a data sharing arrangement between 360+ HSC NI organisations).

            I requested/demanded back in 2020 that my GP Practice (one of the Data Controllers for NIECR) remove my personal data that they had shared against my wishes with the NIECR system and they said they could not remove it as BSO had told them that there was no procedure defined to do such a removal.

            BSO is the central HSC NI org who manage/provide IT services (amongst other services) to the HSC NI. BSO acts as a Data Processor for all the organisations who are Data Controllers for the NIECR. BSO said that they were only a Data Processor and so could not act upon my request/demand and referred me to the Data Controller (my GP Practice).

            I opened 2 data protection complaints with the ICO, one against my GP Practice, the other against BSO. Eventually the ICO case officer stated in late 2022:

            "my view at present is that it is unlikely that [name of Practice] have complied with their data protection obligations. This is because, although they have attempted to remove the data they have shared about [name] on the NIECR system they have been told by BSO that they are unable to. As data controllers for that information, we would expect that [name of Practice] should be able to do this."

            and (regarding my GP Practice):

            "however as they are the DC for the information that currently can't be removed, the infringement goes against them."

            Despite this however the ICO took no actual action for any party to remove my personal information from the NIECR system.

            I'm left with the option of taking personal legal action as the only way to resolve this.

            1. Doctor Syntax Silver badge

              Re: Insufficient

              Perhaps you should get Max Schrems on your case.

              Personally, I'd have written my original request addressed to both and told them to sort it out between themselves instead of pointing fingers at each other. If they failed I'd then have raised a single case against both with the ICO. Not a data protection issue but I've used the same technique about road repairs.

              1. Anonymous Coward
                Anonymous Coward

                Re: Insufficient

                > Perhaps you should get Max Schrems on your case.

                I don't believe he takes on any action outside of the EU...

                > Personally, I'd have written my original request addressed to both and told them to sort it out between themselves instead of pointing fingers at each other. If they failed I'd then have raised a single case against both with the ICO.

                Whilst I did raise 2 separate cases with the ICO I did "link" them together and the same ICO case officer dealt with them jointly.

                I believe that BSO's assertion that as they were the Data Processor, rather than the Data Controller, therefore any decision to delete or not was nothing to do with them is technically correct - Data Processors can only lawfully follow instructions provided to them by the Data Controller.

                However in this case the Data Processor (my GP Practice) *did* effectively provide BSO with instructions to remove my personal data yet BSO still did not do so. In addition to BSO's initial claim that "there was no procedure defined to do a removal" (i.e. "we can't delete it as we don't know how to delete it") BSO later also claimed that my NIECR record (including my personal data shared by my GP Practice against my expressed wishes) like all Health Service records were governed by a retention and disposal schedule in accordance with the Public Records Act (NI) 1923 and the Disposal of Documents Order 1925 and so could not be deleted in contradiction of that retention and disposal schedule.

      2. Doctor Syntax Silver badge

        Re: Insufficient

        From the link about the story being refuted: "an investigation found no evidence of data being available to unapproved researchers"

        A successful investigation, I see.

  3. amanfromMars 1 Silver badge

    What more do you need to know, to know they are just spouting and shovelling BullShit

    The government claimed the new bill would provide a £10 billion ($13 billion) boost to the economy, free up 1.5 million hours of police time and 140,000 staff hours for the NHS every year.

    Four questions to ask yourself and honestly answer ......

    1) .... When ever has the government delivered on their claims which in turns can be termed as an earnest promise which then easily defaults and morphs into just an aspiration?

    2) .....Why do you keep falling for such serial claptrap and eat that shit?

    3) .....Do you like it?

    4) .....Does it satisfy you?

    Government speak with forked tongue, Kemosabe. Promise to deliver the moon and the sun and the stars, whilst in the shadows and behind veils of dank darkness, do they pillage and steal to destroy dreams.

  4. munnoch Silver badge

    "Data is the DNA of modern life"

    Odd analogy. DNA if anything is meta-data. Its the schema that controls how we are built.

    But I'm sure that's the least we have to worry about where this govt is concerned...

    1. Doctor Syntax Silver badge

      Re: "Data is the DNA of modern life"

      Remember that statements like this are made by government mouthpieces who are very unlikely to know anything of either data or DNA except that they've heard of them. Ignorance enables them to say these things without suffering from cognitive dissonance.

  5. Anonymous Coward
    Anonymous Coward

    plus ça change, plus c'est la même chose

    The more UK Governments Change, the more they stay the Same.

    1. Doctor Syntax Silver badge

      Re: plus ça change, plus c'est la même chose

      Governments change. The Departments remain the same. It's just a new set of politicians being house-trained.

      1. Sora2566 Silver badge

        Re: plus ça change, plus c'est la même chose

        Sir Humphrey, is that you?

  6. Anonymous Coward
    Anonymous Coward

    This health data must be worth quite a bit but I doubt it's 10 billion. It's more likely to result in an exchange of envelopes and jobs for ministers when they leave government on both sides of the house.

    The first implementation of this meant I had to go and get my GP to put some codes on my record so it wasn't slurped. Which was mostly pointless other than my GP record because any trust hospital I visited won't have had those codes so would be fair game (no way to add them either). This was quite a polite request by the former government.

    My concern is the path they are taking now. On the face of it a health passport with all your medical data to hand sounds like a sensible idea but then they talk about selling it and "anonymising" it. This comes with no option to opt out. Can they ever truly anonymise the data? They can remove my name but what do they have to leave? My age (not date of birth), my location (not address) and all my conditions linked with dates. I've had 3 cancer scares that required tests. Skin, lung and prostate. The skin one also had a BCC removal (which thankfully wasn't cancerous). It would be very simple for a company like google (who want this data) to cross reference this data with my searches. They will have details of prescriptions and dates which is again something that can be cross referenced when I have been prescribed a new medication (who doesn't look them up?). Lets say I have a storecard and that data is available then that's another avenue to identify me (did I buy a cream? or lemsips for example). Once identified I'm now linked to that unique "anonymous" NHS data ID but that's the plan. Can you imagine what insurance companies would pay for this data? Financial institutions as well. There would be a queue for this data and a lot of money changing hands and I am absolutely in no doubt that in this money orientated society that is exactly what will happen.

    There is absolutely nothing we can do about it. This is something that moves across political party lines, is not benefit for the people and will happen no matter we do. Sucks living in a "democracy".

    1. Anonymous Coward
      Anonymous Coward

      > The first implementation of this meant I had to go and get my GP to put some codes on my record so it wasn't slurped. Which was mostly pointless other than my GP record because any trust hospital I visited won't have had those codes so would be fair game (no way to add them either). This was quite a polite request by the former government.

      These "codes" are just to signal to your GP Practices' EMIS/SystmOne/whatever electronic records system to not share your Practice record with other NHS systems. That is all, so obviously such codes won't control whether hospitals etc share your data.

      > then they talk about selling it and "anonymising" it. This comes with no option to opt out.

      Data Protection law does not cover anonymous data. However whether personal data has actually been anonymised, rather than pseudonymised, is a different matter...

      > Can they ever truly anonymise the data? They can remove my name but what do they have to leave? My age (not date of birth), my location (not address) and all my conditions linked with dates. I've had 3 cancer scares that required tests. Skin, lung and prostate. The skin one also had a BCC removal (which thankfully wasn't cancerous).

      Indeed that is one of the most important questions - are organisations actually anonymising personal data? (rather than perhaps "trying" to do so)

      > It would be very simple for a company like google (who want this data) to cross reference this data with my searches.

      (UK) GDPR / UK DPA 2018 does actually define a specific criminal offence of de-anonymising data. Whether you would be actually able to prove that however is a different matter.

      > Once identified I'm now linked to that unique "anonymous" NHS data ID but that's the plan.

      Any such NHS ID (HCI in Northern Ireland, I think it's a CHI in Scotland, etc) is *not* an anonymous ID, it is a pseudonymous ID and pseudonymous data is still personal data as defined by data protection law.

      1. Anonymous Coward
        Anonymous Coward

        > Any such NHS ID (HCI in Northern Ireland, I think it's a CHI in Scotland, etc) is *not* an anonymous ID, it is a pseudonymous ID and pseudonymous data is still personal data as defined by data protection law.

        That's one of the points I'm making. The health data has to be linked. If I have high blood pressure and piles then my anonymised data needs to show this with dates for the data to be of any use in prediction of conditions. Likewise going forward any new conditions would have to linked. In essence my whole health condition record has to be shared which greatly reduces the anonymity of it. This in itself makes me wonder about the value of the data. It's unusual for health care to work on preventative medicine if the cost of treatment is not far greater than the cost of prevention and even then it's determined by the cost of healthcare to the patient. If as with the American model sometimes the patient make a contribution or pays in full then prevention can be a loss maker. It could be really useful as a profit prediction model though.

        1. Anonymous Coward
          Anonymous Coward

          > If I have high blood pressure and piles then my anonymised data needs to show this with dates for the data to be of any use in prediction of conditions. Likewise going forward any new conditions would have to linked. In essence my whole health condition record has to be shared which greatly reduces the anonymity of it.

          You seem to be getting confused between anonymised data and pseudonymised data. If the data being shared contains enough information to enable someone (not necessarily the org receiving that data) to determine who the person is that the data relates to then it is *not* anonymised data!

          Anonymised data might be something like where, for example, a study/research is given data about cancer incidence in a general region where *no* NHS IDs are provided, ages are replaced with age ranges (e.g. the age field for someone who is 27 is replaced with 20-29 instead), the only "location" provided is the 1st portion of their postcode (to "narrow" it down only to a region or city), etc. Obviously situations where someone has an unusual health condition or combination of problems present complications for anonymising their health data.

          Anonymised data can be shared with 3rd parties as it is no longer personal data (and therefore no longer subject to data protection laws).

          Health records and pseudonymised data however is shared within the NHS.

          My understanding is that pseudonymised data cannot be shared by the NHS with 3rd parties (for non direct-care purposes i.e. for research) without the consent of the individuals. Obviously if the NHS is contracting out direct care activities (i.e. surgeries) to 3rd parties like private hospitals then individuals' health records or pseudonymised data is likely to be shared for those purposes.

    2. cantankerous swineherd

      your medical record pretty much identifies you, whether names and addresses are attached or not.

  7. Tron Silver badge

    BS.

    Quote: The government claimed the new bill would provide a £10 billion ($13 billion) boost to the economy, free up 1.5 million hours of police time and 140,000 staff hours for the NHS every year.

    That won't happen, any more than Boris's Brexit benefits or anything else the British government ever promises.

    Are we still going to have to waste time endlessly clicking 'Accept All' on those ****ing cookie checks on every ****ing website we go to? Just offer an option for the 1% of people who complain about cookies.

    1. Martin-73 Silver badge
      Mushroom

      Re: BS.

      Indeed, add to that a following popup offering a signup to a newsletter, then yet a third which suggests you follow them on faecalbook, which when you click the X re-directs you to the initial cookie popup but this time with the 'yes i'll take all the bloody cookies just show me what i was looking for' button offscreen, stage left.....

      Icon: blood pressure

    2. Jonathan Richards 1 Silver badge
      Stop

      Re: BS.

      Well, what I get bored with is endlessly clicking 'Reject All' on cookie checks, followed by 'Object All' for the amusingly named 'Legitimate Interest'. If I don't get the option, I'll just have to manually delete the ****ing cookies, I suppose.

      1. Anonymous Coward
        Anonymous Coward

        Re: BS.

        If you are using a chromium based browser, this extention does it all for you

        https://chromewebstore.google.com/detail/i-still-dont-care-about-c/edibdbjcniadpccecjdfdjjppcpchdlm?hl=en

        Failing that, just about all browsers (even chrome!) have a "delete all cookies (except those you whitelist) on exit.

    3. Anonymous Coward
      Anonymous Coward

      Re: BS.

      https://chromewebstore.google.com/detail/i-still-dont-care-about-c/edibdbjcniadpccecjdfdjjppcpchdlm?hl=en

  8. Doctor Syntax Silver badge

    I think I may have scored a very small victory with our local hospital trust. Some time ago SWMBO received an apparent phishing email (links, not from the domain it claimed - you know the drill) asking her to log on (i.e. register) to a 3rd party site to obtain some information from the trust. A complaint followed. Then I got an apparent phishing email asking me to register for some other 3rd party site to view my patient information. ??? Haven't been a patient there for years. Another complaint.

    Now, several weeks later, (probably about the time it takes for these things to work through the systems) there's a mailing from the trust's domain itself explaining to patients that the former email was genuine.

    There's still a few issues. The service is called Patients Know Best (PKB) so what does PKB know? Does information only get passed to them when the patient registers or has that already happened?

    1. cantankerous swineherd

      my GP is training people to click on links in text messages, none them to nhs.uk...

      betting the NHS on the internet is stupid, ask st Thomas's hospital, crippled by an attack on a supplier, never mind them.

      ask maersk how much a complete new system is.

      1. Doctor Syntax Silver badge

        Never mind the GP - banks are doing it and you'd think they have most to lose if they have to make good on fraud cases.

  9. Anonymous Coward
    Anonymous Coward

    Someone put the word "security" in the same sentence as "GDPR".........

    https://www.theguardian.com/technology/2017/jul/03/google-deepmind-16m-patient-royal-free-deal-data-protection-act

    https://www.theregister.com/2022/01/10/ipco_report_2020/

    https://www.theguardian.com/society/2023/may/27/nhs-data-breach-trusts-shared-patient-details-with-facebook-meta-without-consent

    ....Yup.....three links (from thousands!) which show just what a JOKE the current GDPR arrangements are!!!!

    How developed is your sense of humour?

  10. Anonymous Coward
    Anonymous Coward

    In synch with the EU…

    BRENTRY!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like