'Vast majority of people' are onside with a data grab they know next to nothing about, reckons UK health secretary Against a strong field, UK Health Secretary Matt Hancock has come out as a winner in the prize for stomach-churning political double-speak while addressing NHS Digital's shameless grab for patient data held by GP surgeries in England. As we reported yesterday, that grab has since been delayed by two months, supposedly to 1 …
How many five year olds are writing opt out letters to their GP?
*
And how many of today's five year olds are going to find out in, say, ten years time that the "pseudonomised" data slurped in 2021 has actually been assigned to them........and is completely wrong?
*
Do the names Palantir or Acxiom ring any bells?
"How many five year olds are writing opt out letters to their GP?"
They don't have to, because [a] under the DPA 2018 and UK GDPR. for minors under the age of 13 consent (and this amounts to a warped kind of consent) is vested in the parent or guardian, and [b] writing a letter may not be deemed sufficient. It would appear that the official form must be used for the opt out (not least because it carries the numeric codes for opt out and opt in).
BTW, I submitted my Type 1 opt out form to my GP some three weeks ago, but received no acknowledgement. On enquiring today by phone I was told by the receptionist that they had recorded it but could not send me a conformation letter as that would fall under a "request for medical records". I pointed out that in a matter of such moment I was rightly entitled to formal confirmation that my opt out had been actioned and that without such confirmation the buck would stop with the practice if anything went wrong. She got back to me having spoken to someone I was not allowed to speak to, stating that a confirmation letter would be sent to me.
It appears that data subjects are not the only ones who have not had time to get their heads round the system, so the promised extension of time (supposing it actually materialises) is very welcome.
Given the British government has taken the US' pioneering "alternative facts" and made it their own while the US has thankfully corrected its mistake, there's no debate to even be had, since everything said by Hancock was the diametric opposite to reality.
Not entirely.
Republican states are currently doubling down on the madness and doing their level best to ensure that, come next Election Day, only genuine, white-skinned Republicans will be able to vote.
Oh, and apperently Trump is announcing that he will be "reinstated" next August.
The level of delusion of these people is impressive, I must admit. How they remember to breath through the day is a miracle in itself.
It's obvious to me that collating, organizing, analysing, mining, AI-ing all the NHS patient data is a good thing for health research, society an, potentially, me. I'm all for it.
It's similarly obvious to me that insurance companies, social media sites, news sites and criminals getting access to the same data is a bad thing.
If someone gave me a rock solid guarantee - air gapped data with crown jewel security and with the regs written in criminal law backed up by jail terms for politicians past and present in the case of breaches and real £££money compensation for citizens then I might, just might, consider giving them access*
Until then, they can all fuck off.
*I still probably wouldn't.
I'm pretty much in the same mind as you on this. However, having worked in NHS IT i'd just like to comment that most people don't understand that their GP is actually a private, for profit business which is not actually part of the NHS other than being a contractor to their local NHS trust.
If most people were asked "do you support your data being held by an external contractor to the NHS, who only works office hours and therefore prevents the NHS from obtaining your medical data when you are in A&E in the evening or at a weekend" then the number of people in favour of retaining their information on paper with their GP would likely be less than if you listened to the concerns about data being able to be shared with other groups.
It's all about how different pressure groups word things to cover their interests. GP's groups are not going to play on that angle, obviously since they can't then bill the NHS for providing the information.
> If most people were asked "do you support your data being held by an external contractor to the NHS, who only works office hours and therefore prevents the NHS from obtaining your medical data when you are in A&E in the evening or at a weekend" then the number of people in favour of retaining their information on paper with their GP would likely be less than if you listened to the concerns about data being able to be shared with other groups.
I agree with the first part, the problem is that for it to be an either-or there has to be trust.
Patients have to be able to trust that NHS Digital slurping the data will result in it being available to A&E, but going no further than that (i.e. no sharing with "other groups").
That trust has been seriously undermined by NHS Digital trying to roll out a system sharing data with "other groups" with no meaningful notice, announcement or simple way to opt-out of the slurp.
Hospitals having access is, undoubtedly, a good thing - the problem is for that to happen, NHS Digital need to have access, and it's currently impossible to trust that they won't later pass it on/sell it/leak it/otherwise screw the trust placed in them.
Admittedly, I am laying a lot of blame at NHS Digital's door here, when really there's no doubt in my mind that the Secretary of State doesn't have his fingers in this particular pie somewhere.
Admittedly, I am laying a lot of blame at NHS Digital's door here, when really there's no doubt in my mind that the Secretary of State doesn't have his fingers in this particular pie somewhere.
Are you suggesting that perhaps he's got a mate down the pub who's first in line to buy data access on the cheap? Perish the thought! And I definitely can't see someone as successful and as honourable as our lovely Secretary of State for Health and Social Care being fired as a scapegoat anytime soon, then desperately needing a well-paid non-exec directorship or three to help pay the defence costs in any civil suit which might subsequently be brought against him.
You GP or their deputy is available for emergencies 24 hrs a day.
Their secretary and receptionist not so much.
The records sre not nowadays held in the Pracyices, they are held by a small number of system suppliers, presumably in multiple, redundant, fail over, backed up, data centres which are not adjacent.
Those deputies, generally, are found among the same population of doctors who provide the GPS who hold lists.
Some general practices are operated by health authorities - whatever the health authority is called this week.
The contractual relationship between GPs and health authorities and the NHS is complicated. Much more so than that with consultant specialists. It grew.
But that's not the approach you have taken is it?
The approach that has been taken is "let's grab it quickly with as little publicity as possible, make it hard to opt out of, and sell everybody's data off once and for all as a fait accompli, whilst telling the idiot voters it's all in their own interests using a bit of sentimental soft soap about 'saving lives'".
The shitty way they've tried to do it on the quiet just shows how embarrassed they must be about what the true intent of this data grab is.
"I'm fine to sell them my data, where are the money? Or anything produced using people's data will be free and available to every body?"
Eh?
So you are happy that people can snoop into people's medical history recording abortions, drug treatments or mental health issues and the like?
If it was only for research and development it might be acceptable, though I would still opt-out, but to just throw it open to those with the biggest wallets makes the proposal totally out of line.
One other thought occurs to me. If the likes of Google, Amazon and Facebook are made to jump through the hoops and ask your permission to set a cookie, why the hell did anyone think that just scooping up people's most sensitive and potentially damaging data and placing it on the open market was either a good idea or even legal?
Surely to God the GDPR has something to say about this.
"The DPA 2018 exemptions are for policing and national security matters...
These are derogations - permitted national variations, and stand out purely because of the structure of DPA 2018, which is divided into general, policing and national security sections (that are indeed for the most part almost duplicates). The UK GDPR, which exists as statute alongside DPA 2018, is essentially a set of minor adjustments to the EU GDPR to take into account the UK no longer being a member of the Union. However the core Articles as set out in the EU GDPR continue (for now) to have the same general effect.
Medical data fall under Article 9, which includes government latitude for "...the management of health or social care systems and services" (Art. 9.2(h)) and "processing [...] necessary for reasons of public interest in the area of public health..." (Art. 9.2(i)). These override any expectation of processing on the basis of consent (Art. 9.2(a)). Consequently the UK government probably feels quite virtuous in offering us an opt out. We'll have to wait and see how long it lasts.
The part that really bugs me about that argument is that it actually makes things worse. If this data is so critical to share with everyone and people will die every moment it's not available, why have they waited until now to share it? How many lives could have been saved if there just hadn't been a six week notice period? How many lives are the Conservatives responsible for taking since they came to power over a decade ago? If it really is so urgent to get this data right now, why on Earth are they being so casual about it?
How many lives are the Conservatives responsible for taking since they came to power over a decade ago?
To be fair, they did try this six or seven years ago. Then after that it slipped their minds, presumably. Or they were too distracted by all their infighting over Brexit to give a shit about the rest of us.
The evidence is that "the vast majority of people have not objected" - so if they did not object then they must be strongly onside. That most people do not know about it or do not understand how easy it is to de-anonymize data and how personal data can be abused in years to come - is not an issue that Hancock wants to talk about.
This is using the same logic that a losing candidate uses when claiming that the victor was elected by a minority ... having assumed those who did not vote as would have voted against the victor.
Do we know if Hancock has opted out ?
“On display? I eventually had to go down to the cellar to find them.”
“That’s the display department.”
“With a flashlight.”
“Ah, well, the lights had probably gone.”
“So had the stairs.”
“But look, you found the notice, didn’t you?”
“Yes,” said Arthur, “yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard.”
If most people are onside, then make the process opt-in. Have a form that states what will be shared and with whom, and have people sign that form and send it to their GP. This should be fine if most people are so strongly onside with the plans.
The "vast majority" might give away some privacy in return for something, but they don't usually do it for free. You have to at least offer them Nectar points or a Facebook account.
Personally, if other people want to hand out their own medical data then I am happy with that. Except I am not - because the scope of medical data is drastically changing - would I want my relatives handing out their genomic data, for example, that can then be used to bump up my health insurance costs?
good time to bury the bad news. I mean, why would you NOT want to share this valuable, health and live saving data in those dire times of health and live hazard - for the benefit of us ALL?! (plus extra benefit of money-spinner to selected few but hey, sheep get sheared and get lighter and nimbler, while the shepherd needs to labour hard to recover his investment, win-win, eh?
Would any of these prospective data consumers sign a contract saying "You accept full liability for any costs, fines or compensatory payments arising from public identification of any subject in this data"?
I thought so. Problem solved.
If they think they can get away with professing ignorance, add a few unique fictional records to each set so you know who leaked.
If you needed any confirmation that government works for business and not the electorate then this is it. Though it's always been known. This is Round 1, Round 2 will be the extra funding this will provide to the NHS that it so desperately needs. Maybe a couple of government friendly doctors on the BBC saying how much that will help. Add in a bit "pandemic struggle" and that's it most of the nation will be sold on the idea.
As Sir Humphrey explains:
https://www.youtube.com/watch?v=G0ZZJXw4MTA
Do you want to improve the state of medical research in this country?
Do you think actual healthcare data from GP records could contribute to medical research?
Do you think large data sets can improve the validity of research?
Would you support the use of GP patient records in improving medical research?
Whenever you submit your opt-out form to your GP Practice how will you know if they actually act upon it? I believed I had a data sharing opt-out (for anything that was for non direct-care-only purposes) in place with my GP more than 10 years ago which it turned out they didn't know how to act on and so some of my personal data was shared with central systems introduced since then. When I happened to mention that opt-out to my GP 4 years ago it turned out that only *then* did they (without telling me) start acting on the opt-out but they had shared my data with several system for 6+ years prior to then. They eventually admitted their mistake and I obtained via a DSAR an email from them to another part of health service were they were trying to justify their mistake by saying "He didn’t come back to us then to remind us not to share his data".
Even if your GP acts on the opt-out, what happens if you change GP Practice (i.e. move home)? In "the old days" (TM) patient paper records were physical moved to the new practice (via some NHS intermediary?), these days it seems its happens via a GP2GP electronic system. How do you ensure that your new GP Practice will have your opt-out in place *before* they load your patient records onto their patients records system (EMIS, SystemOne, etc) ? If its not in place beforehand then their patient records system will happily upload your records onwards to GPDPR. I don't believe GP2GP includes the transfer of any opt-outs you might have had in place with your previous GP.
If/once your personal data is accidently uploaded to GPDPR or any other central system you won't get it deleted from there....
> "If/once your personal data is accidently uploaded to GPDPR or any other central system you won't get it deleted from there...."
"""""accidentally"""""
I suspect we're going to be seeing an awful lot of "oops I accidentally all your data" considering that everyone involved knows the only penalty is to be told to not get caught doing it again and how about this cushy promotion? etc.
The inaccuracies are going to be interesting, too. There's stuff that legally shouldn't be on my record that I've repeatedly told my GP to remove but hasn't happened, so once the not-actually-anonymised data is shared with everyone I shall be rather cross. Which is probably about the limit of whatever recourse is available.
Somebody with the same surname and initial as me is getting IVF in a town I used to live.
I know because I kept getting letters from my GP for them
I did tell the receptionist but they weren't interested, I did mention Data Protection but she informed me that GPs were exempt.
I'm hoping that being a guy apparently receiving IVF won't affect me once Facebook get all "my" records
"I did tell the receptionist but they weren't interested, I did mention Data Protection but she informed me that GPs were exempt."
I'd have a word with the ICO - GPs most certainly are covered by the Act, so you've got a breach, refusal to correct an error and demonstration of insufficient training all in one go here.
The Daily Mail might run a nice story once it's given to them, I suppose.
Er anyway, I had a similar thing with the local hospital who sent me a letter containing extensive medical information about someone who didn't even have a vague similarity (i.e. completely different name, address and a department I'd never dealt with).
When I reported it to them, they showed their unerring commitment to upholding the DPA or whatever it was at the time in that they mobilised their legion of managers to do the standard thing of blaming it on some minimum-wage temp whose name they couldn't remember. But they could still recall with absolute clarity that it was absolutely definitely some minimum-wage temp who no longer worked there. It was therefore Somebody Else's Fault™ even though the "somebody" was almost certainly fictitious, job done, no further action required etc (I know I could've pursued it on the basis that they are still responsible anyway, but life's too short, etc).
Then again, this is the same hospital that insisted "it never happened!" when I needed to make a complaint about an unrelated incident, and then followed it up with "if you don't drop the matter, we will produce an unnamed witness who will confirm that they witnessed nothing happening and that it was also your fault." Sigh.
Okay, so I am to understand that Twitter is now an official government information platform ?
I mean, I know every twat in office spends much more time on Twitter than he apparently spends working (hmm, there might be something there), but I was not aware that I should now be obliged to have a Twitter account and follow all governmental departments to get official news.
Official news should be broadcast on the telly or radio at official news times, presented by a professional news anchor and possibly commented on by a guest invited for that purpose - hopefully, someone from NHS, or at least the medical profession.
I'm not much interested in the opinion of a celebrity or an "influencer" (gah) on this matter.
That pushed me to opt out of the organ donor register.
When it was opt in (as it used to be) I thought it would be a wonderful thing to donate my organs in the event of an untimely issue (although at my age I am not sure they would have many more years in them anyway) but when it changed to opt out (if you don't opt out then we can just take them) I went and opted out.
There were all the 'do you really, really want to opt out"? messages of course.
They asked for a reason (for feedback purposes natch). I simply wrote:
I am not a chattel of the state.
Had to change my driving licence (had to do it twice as the first time did not change the status with a strongly worded letter to the effect of 'I deliberately stated I am NOT an organ donor. Please remove it from the licence')
I have already opted out of this one as well. Funny that Matt Hancock thinks so many people are on side; everyone I explain it to is horrified at the thought of their most private information ending up in the hands of some unscrupulous data fetishist in an insurance company or some other company that will be handing out directorships (as we all know it eventually will).
The information isn't really clear on this, but I've been told that, even though in England organ-donation is now opt-out, family will still be asked before donation goes ahead. This is supported by
https://www.organdonation.nhs.uk/helping-you-to-decide/about-organ-donation/consent/
which contains the lines
"Your family will always be asked to support your decision before organ donation goes ahead, and clinicians will never proceed if your family objects."
"Your family will have the opportunity to provide any additional or more recent information about your decision, and this will always be respected."
"If you have not recorded an organ donation decision, the specialist nurse will speak to your family about organ donation as a possibility."
You don't say which country you are in (the law differs across the UK), but regardless, I understand your position (and agree) that organ-removal for donation should not be automatic. I personally agree that discussion with the family of the deceased should be automatic, unless the deceased has opted-out. (I also believe that this is what currently happens in England.) Unfortunately the message from the NHS about this hasn't been as clear as I would like.
Nuff said, really.
The NHS has lots of examples of using patient data efficiently and securely for analysis but there is little or no need to make such data available to private companies because it is a not an asset and anyone who says it is should be turfed out immediately.
So Hancock commissions Ben Goldacre to do a review of health data uses for research:
https://www.goldacrereview.org/
Goldacre is very much careful about who gets to use data for what - he made Opensafely, a perfectly secure platform for doing analysis of this same data:
https://www.opensafely.org/
Simultaneously Hancock oversees a massive insecure data grab of the most sensitive data any of us have, and spouts some bullshit about patients owning their data.
I think Hancock is full of shit.
> "Goldacre is very much careful about who gets to use data for what - he made Opensafely, a perfectly secure platform for doing analysis of this same data:"
Looking at that website I see:
"We are working on behalf of NHS England, who are acting as Data Controller for the purposes of this urgent project; each EHR vendor acts as Data Processor. The Secretary of State for Health issued NHS England/Improvement a notice under the Health Service (Control of Patient Information) Regulations 2002 3(4) which enabled NHS England to collect the data required from GP practices directly from their EHR vendor."
GP Practices are Data Controllers for their registered patients' records stored on EHR systems (i.e. EMIS, SystemOne, INPS) where the EHR provider used by the Practice acts as Data Processor for the GP Practice.
The above text "enabled NHS England to collect the data required from GP practices directly from their EHR vendor" implies that NHS England has bypassed the general Controller-Process relationship, per GDPR, where a Processor is only supposed to act upon instructions from the Controller.
It may well be that NHS England instructed all GPs to instruct their EHR supplier to enable the collection but from the above this sounds unlikely. Therefore the Practices as Data Controllers are not actually in control of their patient records...
So what's the point of Data Controllers in law if they can be bypassed like this?
The turnout for the recent Police Crime Commissioners was less than 1/3 of eligible voters. Can the gummint therefore accept that the vast majority of people are fine with doing away with the concept?
Source: https://commonslibrary.parliament.uk/research-briefings/cbp-9244/
"Turnout averaged 33.2% across the 34 police areas where data is available (measured as valid first preference votes as a proportion of the electorate)."
edit. Police and Crime Commissioners. my bad.
As I understand it GDPR requires opt in and doesn't consider failure to opt out as consent. It always defaults to the most private secure settings. So how can the gov. claim people have consented if they haven't opted in. Should the ICO get involved and fine Matt?
Interesting that yesterday (9th June) I received an unsolicited email, claiming to be from "Patient Access", the company that manages my GP's patients' web access.
In that email I was entreated to click on two separate links (destinations obfuscated behind buttons).
One regarded T&C's, the other their Privacy Policy.
"Please read and understand the above. Any ongoing use of the service constitutes acceptance of the updated terms and policies."
I have clicked on neither, but examined their code to identify exponia.com as a common destination. They are an American owned Customer Data Platform, acquired by "Bloomreach" VERY recently.
On the GP's website there is no mention of any changes in T&C or Privacy Policy.
So, is this an attempt to get me to unwittingly give permission for data-slurp?
Or perhaps it's good old fashioned spear-phishing by someone with access to my medical records?
Either way I'm not impressed.
I just received the same mail myself (today, 10th).
Clicked on the T&c's link - blocked by ublock "because to the following filter: ||exponea.com^"
Same for the Privacy Policy link.
Tried the 'Log in' link right at the bottom - had forgotten the password, so asked for a reset link in e-mail.
Got that, and responded with a new password which was apparently accepted, because I logged in with e-mail id and (new ) password, only to be confronted with a requirement for 4th 8th and 10th letter of my memorable word.
Could not exactly remember that word, so asked for the reminder to be displayed - that led to my remembering the memorable word.
But it is only 9 characters long...
Clicked on the link for a memorable word reset. Was told that e-mail had been sent. It didn't arrive. Requested the e-mail again and it finally arrived.
Another link in the e-mail to get to the memorable word reset resulted in ublock again blocking the page, objecting to the same filter as before.
Round and round we go...
Why why bloody why is it so effin difficult!!??
This post has been deleted by its author
That this kind of data grab, of basically the most private and sensitive information anyone has, is at all up for discussion seems baffling to me.
I'm not the greatest Cummings fan, but what did he say about somebody basically being a totally immoral liar? I must have it written down here somewhere...
The arrogance of the man is unbelievable.
We live in the generation of apparently untouchable and unaccountable ministers. Only a series of legal actions has come close to stopping their various subversions, and they have tried their damnedest to fight against any form of transparency or legal accountability.
There was an advert on TV yesterday, I think Channel Five, saying that EU Citizens needed to register as EU Citizens before June 30th, or they might lose the right to health care etc. So, something that affects a small? percentage of the population can be publicised, but something that affects everybody (including those EU Citizens?) gets no publicity whatsoever.
Only goes to show what really counts here.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
