We found this meeting to be productive and are pleased with the level of cooperation between our respective organisations” Letter from David Evans, Strategic Liaison, Information Commissioner’s Office, to Christine Outram, Director of Strategic Intelligence, NHS England, 26 September 2013

 

As the care.data leaflet arrived in people’s homes in January, the ICO published a blog by Dawn Monaghan, Group Manager for Public Services in the ICO’s Strategic Liaison team. The blog described the NHS approach to the extraction of data from GP practices, the communication activities to underpin this, and the ICO’s role which – accurately – Monaghan described as limited. However, the blog did not stop short of effectively endorsing the process. Having summarised the plan to have posters and leaflets in GPs surgeries and a household leaflet drop, Monaghan’s blog stated: “We see this as a sensible approach” and “we would consider it likely that the fair processing requirements under the DPA would be met“.

Within days, the media was reporting on widespread concerns about the sensible approach. By the time of Tim Kelsey’s Comical Ali appearance on Radio 4’s Today Programme to say that everything was absolutely fine just before the whole thing was put on hold, Monaghan was interviewed to say that NHS England had not done enough. Christopher Graham later complained to the Independent that they’d wanted a direct letter all along.

This reaction to the mess was correct – it was the original, syrupy reassurance that was odd. The ICO is an independent regulator, there to ensure data protection compliance and, where necessary, to take enforcement action to back that up. And yet here they were, effectively saying ‘it’s all fine’. I thought it was bizarre that the ICO could give any backing to NHS England’s approach, but they seemed to find it necessary to be supportive until they saw which way the wind was blowing.

My concerns were shared. In September 2013, Dr Geraint Lewis, Chief Data Officer of NHS England was warned that the communications plan – the ‘sensible approach’ – was “essentially passive”. There were real concerns that “a number of patients would be unaware of what is happening to their personal data”. Lewis was informed that the approach – essentially the same approach that was delivered in practice – was almost certainly not an “adequate standard to ensure data protection compliance”. In October 2013, Rachel Merrett of NHS England received an email expressing concern about the household leaflet drop. There was a serious question about the leaflet’s effectiveness, arriving as it would along with stuff from “the local window cleaner and the Domino’s Pizza leaflet”, likely to be “scooped up and placed in the bin without being read”.

The author of these communications was Dawn Monaghan. I made an FOI request to the ICO for correspondence and meeting notes between the ICO and NHS England and the HSCIC. A large quantity of material was disclosed, virtually all of it recording the frequent contacts between Strategic Liaison – Monaghan, Evans and occasionally the head of the team Jonathan Bamford – and various NHS England and HSCIC civil servants. The biggest players, Information Commissioner Christopher Graham and Head of Patients and Information Tim Kelsey – make cameos as early on, the ICO fails to persuade NHS England to contact each patient directly.

It’s difficult to find a proper description of what Strategic Liaison does on the ICO’s website, but the aim seems to be to maintain good relationships with large data controllers ‘stakeholders’. This seems clear from a ‘Strategic Liaison Organisational Review’ document put forward by Bamford in March 2013, asking for more staff. More staff would help meet the ICO’s objectives to “maintain its influence in key areas and on key issues”. Another key benefit was to ensure that “stakeholder satisfaction levels will be maintained”. So how’s that influence working out for you?

In practice, Strategic Liaison’s activities look like the provision of lots of free advice with no real gain for compliance or the public. From the Commissioner through Bamford to Monaghan and Evans, and in particular, in emails in August 2013, it is clear that the ICO wanted a direct communication with each patient, and they wanted the leaflet to set out very clearly what the ICO called an ‘opt-out’ until they acquiesced to NHS England’s terminology of an ‘objection’. In reality, the leaflet drop went ahead, and it contains only a mealy-mouthed references to objecting. There is no form to register an objection or website to do so – on the last page, it simply tells the reader “ask the practice to make a note of this in your medical record”. Even NHS England’s preferred word ‘objection’ does not appear.

All the while NHS England and HSCIC pressured Strategic Liaison for detailed advice about who they think the Data Controllers are in various permutations of the process, and even when they got the answers, they demanded to know the background thinking. This resulted in Monaghan sending a detailed letter in November 2013, setting out the ICO position in detail. The average data controller, seeking concrete answers to such questions, would be told to whistle for it. Ring the helpline today and see if I’m wrong.

NHS England and the HSCIC clearly wanted the ICO to sign off their proposals. Even though an independent regulator should refuse this outright, several times, Monaghan refers to sign-off as something which cannot be done yet. In September 2013, an email states “Until this has taken place, the ICO could not offer an endorsement or agree that the process or communication plans would be compliant”, while later on it is unlikely that “we will be able to reach a point of endorsement or assurance until…”. The ICO is there to regulate, not to give approval, and yet it seems they contemplated endorsing the process. Indeed, what is Monaghan’s January blog, if not a tacit thumbs up? Typical of the way things worked is Monaghan’s statement on 12 August 2013 that “we do not wish to cause unnecessary delays to the project”. Delays to the project are not the ICO’s problem. If NHS England didn’t want to wait for ICO advice (advice I don’t think the ICO should have given), they should have got their answers from their own lawyers and hoped for the best, like most other Data Controllers have to do.

No matter how quickly the ICO changed their mind after the wheels came off, no matter how strong some of the correspondence is (Monaghan’s bracing September 2013 letter to Lewis is a standout), the overall mood is cooperative, ameliorating, persuasive, which might be OK if it worked. Teddy Roosevelt once advised a friend to ‘speak softly, and carry a big stick’. Strategic Liaison don’t have so much as a twig. The worst threat they offer is refusing to sign off the communication plan, something they should never have offered to do in the first place.

The only mention of enforcement action anywhere in the correspondence comes in an email from Rachel Merritt of NHS England in November 2013, trying to get confirmation from the ICO that they will take action if GPs opt out their patients in bulk. If the ICO cannot issue guidance on this issue, then NHS England has a number of options on the table: “If a large number of GP practices bulked block [sic] their patients, consideration would need to be given to whether we can continue to offer the objection”. Acknowledging the NHS Constitution’s guarantee of a right to object, Merritt continues that if the objection offer was withdrawn, “we could consider and refuse on this basis that we cannot provide a health service”. There is no evidence of how Strategic Liaison even reacted to this outrageous suggestion, but the friendly cooperation certainly continued. NHS England’s meeting notes from the back-end of 2013 even imply that the ICO was considering whether action against bulk opt-outs was possible.

Meanwhile, the HSCIC expressed concern about subject access request numbers escalating, and the meeting notes state “ICO to bring up with health priority cross officers group the issue of support for subject access requests”, and on 19 September 2013 “ICO agreed to work with the HSCIC if such requests significantly increased”. This offer of support is unacceptable on its own terms, but the ICO’s own Subject Access Code of Practice states “You should be prepared to respond to peaks in the volume of SARs you receive”. Every other Data Controller has to put in additional resources, but elite stakeholders get a promise of support. As we know, Strategic Liaison has to maintain their satisfaction levels.

I have complained before that the ICO’s use of the word ‘customer’ when they mean ‘complainant’ sends out the wrong message. The ICO is an ineffective ombudsman, and their recent decision to concentrate more on regulatory issues than making every complainant happy is probably a good idea on balance. I doubt it will work, but that’s a separate question. It’s essential for the ICO to be neutral and to send out the message that they’re on the side of the public is wrong. They serve Parliament, the Data Protection Act and the public interest. But equally, it is wrong for them to assist certain favoured ‘stakeholders’, facilitating them with monthly meetings, daily emails, and detailed advice on demand, especially not when the ICO’s own requirements (if you can call them that) are unmet. Would NHS England have sent a clear letter with an opt-out form to every individual if Strategic Liaison had promised them an enforcement notice if they didn’t? We’ll never know, but you don’t have to read much of the correspondence to see that this kind of thing isn’t in their vocabulary. The ICO needs to publish guidance, it needs to deal with complaints (i.e. make assessments) and in certain cases, it needs to enforce. Why does it need to make friends?

If there is any future compliance question about care.data – particularly the issues of fair processing or data controllership – the ICO has been intimately involved in NHS England’s thought process. I don’t even think NHS England and HSCIC were cynically implicating Strategic Liaison – the approach of nuzzling up to stakeholders does that automatically. The days when the ICO didn’t even have an enforcement team are long gone, but Strategic Liaison represents an outdated strand of thinking. The senior people who ran the office when I was there – which was long, long ago – treated Data Protection as an extended debating society where everything could be settled with a civilised discussion. Strategic Liaison had a civilised discussion with NHS England, they didn’t get what they wanted, but in the end, was maintaining a good relationship an objective in itself?

The one question FOI doesn’t allow me to ask is what Strategic Liaison think they’ve achieved. Care.data was delayed again, and this time, the objection that NHS England had contemplated dropping is getting a statutory basis, but Strategic Liaison didn’t ask for these concessions. It’s probably more pleasant to maintain friendly relationships with big data controllers, but at least in this case, I can’t see what was achieved by it. The ICO has a mountain of FOI complaints, a difficult new approach to DP compliance to implement, a pile of enforcement and a new version of Data Protection on the horizon, all in a time of austerity. I wouldn’t keep Strategic Liaison going in the years of plenty, but we’re in famine now, and deploying some of the most experienced ICO staff to hold hands with an elite group of data controllers stakeholders is a waste of valuable people and resources.

Time for a new strategy.