Put on your anoraks, friends, we’re going to Data Protection land.
My objection to care.data is that it is unfair – I believe that data should only be extracted from GP systems and used for research (no matter how beneficial) with consent. I am wary of care.data’s hype-man Dr Tim Kelsey, who said on Twitter that the NHS would “never” compromise patient privacy. I know Twitter enforces brevity, but he had room for ‘knowingly’, ‘intentionally’ or ‘deliberately’ and he didn’t feel the need for any of them. Everyone who knows how the NHS works (or has worked in it) knows that compromises of patient privacy – both physical and in information terms – happen often, despite much effort to prevent them. Even if Kelsey only meant care.data, it is still a promise he cannot possibly hope to keep. I am uncomfortable with the way the NHS Chief Data Officer – Dr Geraint Lewis – insists that receiving payment in return for information is somehow not ‘selling’ it (despite the universally recognised definition of ‘sell’ in any dictionary you choose) or that it is wrong to suggest that insurance companies will use data for insurance purposes when documents published by the Health and Social Care Information Centre say that they will.
However, on the narrower question of whether care.data is legal, especially in terms of whether it is legal under the Data Protection Act, I don’t think there is much of an argument. It is legal. If you have a majority in Parliament, you can make a lot of things legal. The people organising it don’t need your consent and are not attempting to obtain it. The leaflet drop is no way to inform people about such a significant step, but I don’t think it is required.
Consent cannot be obtained through an opt-out. The EU Directive on which the DPA is based and with which it must comply says that consent must be freely given, and be based on a positive indication of the subject’s wishes. How can the absence of something be consent? The answer is that it can’t. An unticked box is an unticked box and nothing more. The health sector has invented the concept of ‘implied consent’, but this is a misnomer. When they talk about ‘implied consent’, what they mean is ‘inferred consent’ – a person actively does something (for example, they willingly turn up for a test or an examination), and their consent to treatment and data processing can be inferred from their actions.
What is happening with care.data is not an attempt to get consent because the Data Protection Act does not oblige an organisation to process data only with consent. It gives the organisation options – consent is one, and a legal obligation is another. GPs have a legal obligation to allow the data to be extracted (they have no choice) and that’s that. Consent is irrelevant. The opt-out is a legally unnecessary bonus offered by NHS England to get people like me off their backs – if you don’t like it (in Kelsey’s now deleted words, if you don’t want to make a contribution to society), opt-out. I think they could withdraw it, as I don’t see that the Health and Social Care Act 2012, which gives them the power to extract the data, obliges them to offer one.
Precisely why the health minister Dan Poulter told an MP in a written answer that the ICO may be involved in policing whether GPs have unusual amounts of opt-out is a mystery, as they have nothing whatever to do with it. The opt-out is for show; it’s not necessary for DP purposes.
2) FAIR PROCESSING
Parliament decided that GPs would have a legal obligation to provide (or rather, not prevent the extraction of) the personal data. However, as the ICO – in the form of Dawn Monaghan’s blog – confirms, GPs are the data controllers of the information and are therefore responsible for data protection compliance up to and including the extraction. The ICO goes on to say that: “responsibility for letting patients know what is happening falls to GPs, as the data controllers”
The first Data Protection principle states that the use of personal data must be fair. Schedule 1, Part II of the Data Protection Act sets out precisely how that must be done – by providing certain information. Dinosaurs like me call it ‘fair processing’, whereas the current Commissioner has rebranded it a ‘privacy notice’. The information that must be supplied is the identity of the data controller, the purposes for which the data is being processed and any other information specific to the situation required to make the processing fair (surprises like – for example – your GP data will be passed to insurance companies). So if you’re unhappy with the level of information you’ve received, even though care.data isn’t their fault, you complain to your GP, because they are the data controller sharing the data, right?
Breath in: Schedule 1, Part II, Section 3 (2) (b) contains a caveat. The fair processing data must be supplied unless: “the recording of the information to be contained in the data by, or the disclosure of the data by, the data controller is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract” (my emphasis)
The above was overly complicated; I had overlooked the obvious. Section 35 (1) of the DPA states that personal data “are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court”. The non-disclosure provisions include all fairness considerations including fair processing.
In other words, the Data Protection Act says explicitly that if they are supplying the data in order to comply with a legal obligation, the GPs do not need to provide fair processing. The effectiveness of NHS England’s soft-soap leaflet is legally irrelevant, and if you complain to your GP about the information campaign, I think they’re in the clear.
If you think I’m technically incorrect here, by the way, feel free to comment. I sympathise with the GPs, so I think my interpretation has the small attraction of getting them off the hook, but if I’m wrong, I’d genuinely like to be put right.
But back on topic, precisely why the ICO does not want you to know this is something I cannot explain. I suspect that – like the legal precedent in the Durant judgment that says that subject access requests cannot be used for litigation – they regard it as an inconvenient truth that if they ignore, will go away. I suspect GPs will deal sympathetically with complaints from their patients, but they can turn the ICO away if it comes knocking. There is no threat there.
This is why I am appalled with care.data. Scrape away the hype and the window-dressing, and this is an authoritarian measure from which the relevant law offers no protection. Get something through Parliament, and the DPA is your poodle. That’s what happened here and even if you favour research, do you really think their means to your end is OK?
If you’re happy with care.data, nothing here will convince you otherwise and nor should it. But if you’re unhappy with care.data, face reality: consent is not required, the ICO’s powers are limited to what breaches they can find out about (AKA what they get told about), and even the opt-out is a non-statutory gift that can be removed. Quite why everyone including the ICO is pushing the GPs around is beyond me – we know who’s in charge, and they hold all the cards.