[Note added 17/3/2017: The proposal is no longer going ahead: See Question S5W-07384 of 21/02/2017 "Ministers have listened carefully to the arguments" ...and do not intend to take forward the proposal.]
I thought the idea of a centralised, national population register was well and truly dead? Well the Holyrood SNP Government wants to resurrect a Scottish version.
The Scottish Government’s plans are outlined in a document entitled “Consultation on proposed amendments to the National Health Service Central Register (Scotland) Regulations 2006”. The intention is to transform the current NHS Central Register (“NHSCR”) so it can be accessed by more bodies, to increase the number of individuals recorded in the Register, and to use a Unique Citizen Reference Number ("UCRN") for each citizen.
The NHSCR can then be accessed by well over 120 Scottish public authorities (including police, prison, national security, visas and immigration) and certain publically owned companies.
This blog identifies some key problems of the proposed approach and where consultation documentation fails to consider fundamental data protection requirements. As a result, it fails to inform the public properly about the consequences of the proposal.
Those who lived through the Westminster debates concerning the Identity Card Act a decade ago will recall that a population register functionality, known as the Citizen Information Project, formed 20% of the business case that supported the creation of a National Identity Register. The proposals create this population register functionality for Scotland.
For the absence of doubt, no new general ID Card (i.e. on the lines of the repealed Identity Card Act) is being proposed. However, I explain how the proposed infrastructure implied by the proposal could support such a Card if one were to be introduced in future (perhaps after a terrorist incident). Like the Identity Card Act 2006, there are wide ranging powers that allow personal data to be obtained or disclosed; powers which are subject to minimal scrutiny.
I am not against attempts to improve efficiency in the public sector; in summary, I think these proposals are not the way to do it. I don’t think it proper to use a service that most citizens have to use (e.g. the NHS) to collect basic details which can then be disclosed, using powers that are not fully scrutinised, to any public body.
The current NHS Central Register (NHSCR)
The current NHSCR which has been established under section 57 of the Local Electoral Administration and Registration Services (Scotland) Act 2006 (“LEARS”). According to the Registrar’s website (see references), it contains the following details:
- NHS Number - for babies born in Scotland, the civil registration number of their birth, or a special number given to a patient who was born outside Scotland but who registers with a Scottish doctor;
- Community Health Index number (this is an identifier used by the NHS in Scotland);
- Surname, forenames, any previous names and mother’s birth surname;
- Sex; Date and place of birth; Postcode and address reference number;
- Date of enlistment and discharge for Armed Forces personnel;
- Current and any previous Health Board (or health authority in the rest of the UK) area of GP registration (and equivalent information for Armed Forces personnel and their families);
- Medical research information for people who are registered as having had cancer, or are part of a medical research project;
- Date of death or when contact with the patient has been lost.
According to the Consultation, powers are to be used to add “Postcode and a unique property reference number” to the NHSCR. This is slightly confusing as “Postcode and address reference number”, according to the Registrar General’s website, is already held in the NHSCR (see list above). About another 100 identified bodies could gain access to details on the Register for their purposes.
A Unique Citizen Reference Number (UCRN) for each citizen will also be developed and used as part of identity assurance processes (i.e. when an individual establishes a digital identity, a UCRN will be created and added to the NHSCR in relation to that individual and used when an individual obtains service electronically from a public body). The Consultation explains that “bodies that have access to the UCRN and to be provided with data from the NHSCR”.
The purpose of the Register
The Consultation claims that a revised NHSCR will deliver at least four benefits:
- Improve the quality of the personal data held within the NHSCR. This is because many Scottish bodies can check their personal data against the NHSCR and update records.
- Assist the tracing of certain persons, for example, children who are missing within the education system and foreign individuals who received NHS treatment in Scotland and left the country with outstanding bills. Analysis below shows that the tracing purpose could be any purpose.
- Enable the approach to secure and easy access to online services. The intention to use the Register so that public authorities “would have the ability, where they hold information on an individual, to have access to the UCRN and to be provided with data from the NHSCR” as part of the process whereby an individual user uses public services on-line.
- Enable the identification of Scottish tax payers to ensure the accurate allocation of tax receipts to Scotland associated with the Scottish Rate of Income Tax. There will be the ability to share data with HMRC to ensure that the process for identifying Scottish taxpayers is robust, and thereby aid HMRC in collecting the correct share of the tax revenue, which will be used to fund public services in Scotland.
Like the debates a decade ago about the “benefits of an Identity Card”, no quantitative evidence is provided to support the above claims. However, one assumes that a cost-benefit analysis has been made to support these statements, as the current NHSCR “is considered to be the most complete and authoritative record of individuals in Scotland” and “NHSCR holds information for approximately 30% of the population”.
If such an analysis exists it should be published; if it doesn’t exist – well that was the position with the Identity Card Act for a long time!
I also assume the proposed benefits rest on an extrapolation from 30% coverage of the Scottish population to an assumption of 80%-100% coverage. If so, the above assertions are based on an extrapolation well beyond the volume of data that are actually held (perhaps an extrapolation “to infinity and beyond”).
Data Protection issues
There is no analysis of several important and obvious data protection issues.
However, with data sharing, for instance, the Consultation states that “Where an organisation wishes to take advantage of this legislation (i.e. use the NHSCR) it will also require to have in place data sharing agreements to ensure that appropriate processes are put in place and followed and that the data is used for the specific purpose identified”.
In other words, data protection safeguards are described as if the population register was functioning and personal data were being subsequently shared.
There is no analysis of the following data protection issues associated with building the enhanced NHSCR.
- Compliance with Article 8 of the Human Rights Act: there is a need for the Registrar General to demonstrate that the compilation of a population register is “necessary” in terms of a pressing social need; this is needed to ensure the processing of personal data in the Register is lawful in terms of the First Principle and “necessary” in terms of a ground in Schedule 2 of the DPA.
- Consent: the consultation mentions that some information held by local authorities are “added to the NHSCR when individuals consent”. The Data Protection Regulation is expected to state that public bodies can only process that personal data which is “necessary” for their functions. This means that consent cannot form a proper Schedule 2 basis for a public authority to share personal data as it implies that such sharing is “not necessary” for their functions. That is another reason why the Article 8 position is important.
- Compulsion: the consultation fails to specify how the NHSCR is to be populated to include the missing 70% of the population. One presumes it is through the use of powers in section 57 that require those who bodies that use the NHSCR to contribute to the NHSCR. On the other hand, it could be gradual accretion of entries over a number of years. Most data subjects have to use public services; they are therefore compelled to provide their details to a public body that might be compelled to pass them to the NHSCR.
- Cancer: The consultation document does not identify that personal data in the NHSCR relating to “people who are registered as having had cancer” (see list of NHSCR items above) are Sensitive Personal Data; there is no discussion concerning processing/protection of such records.
- Retention of personal data: if an individual moves to England one does not know whether his/her personal data will be retained on the Register. If someone moves home, is the previous Unique Property Reference Number or address retained? There is no mention of retention periods or what is retained.
- Data sharing: the prospect of onward disclosure of personal data, by bodies that have access to the Register to those who do not have access to the Register, is not considered.
- Securing the register from misuse: a centralised database will be a target for those who want to trace individuals in Scotland for whatever reason (e.g. some individuals might not want to be traced for legitimate security reasons) nor is there discussion about specialist circumstances (e.g. individuals who have undergone change gender might not want historic records kept). Identity theft is also an issue. What is surprising is that many of these security issues were explored during the ID Card debates in 2006.
- Audit trail: No mention is made of what records are kept of access to the NHSCR and for how long. With the National Identity Register of the Identity Card, it was this audit trail that created a record that linked to all the services an individual was using.
- PIA: There is no PIA on the revised NHSCR functionality described in the Consultation. As far as I can see the PIA on the current NHSCR has not been published (it should be according to the minutes of NHSCR Governance Board, meeting on 24 October 2013). I note the Minutes of 31 July 2012 states “KM raised concerns about whether some of the details in the Privacy Impact Assessment (PIA) were too confidential to be released”. Note: the PIA link in the Consultation relates to “myaccount” and not the NHSCR.
- General Identifier: there are “General Identifier” powers in the DPA to define the lawful use of the Unique Citizen Reference Number (UCRN). There is no reference to possible use of those provisions which would prevent function creep. Note: the “myaccount” PIA states that the UCRN is “not used as a Persistent Identifier” yet the Consultation document reads as if it were persistent (e.g. “The attachment of the Unique Citizen Reference Number (UCRN) to a person's data ensures that only a single record is held for each person. Where any information from the NHSCR is shared it ensures that there can be no mistake as to whom the information relates to”).
- Identity Assurance: the proposed approach for delivery of electronic services differs from the approach of the Cabinet Office in London which requires no centralised identity database. The reason why the Registrar General’s needs a central register for identity assurance therefore needs to be explained.
- Missing items: the NHSCR is being linked with other personal data held by the Registrar General. For instance “over 81% of the Census records can be linked to an NHSCR record with reasonable confidence” (quote from “Linking the NHS Central Register Extract to the 2011 Census”; Paper 4 NHSCR GB (13) 04). Are links going to be developed to extend the NHSCR with data from other Registers? Are these personal data then going to be subject to sharing? These are unanswered questions.
- Transparency: If trust of data subjects is lost, resistance to the proposals will increase and so will the risks to the NHSCR. Transparency is essential to keep data subjects on-side; any form of compulsion could kill the scheme. Transparency is served by dealing with the issues above.
Extensive powers could build an ID Card infrastructure.
Like the ID Card Act 2006 which allowed any public authority access to the National Identity Register “for the purpose of securing the efficient and effective provision of public services”, the powers in LEARS have the potential to allow any public body access the Register for any purpose.
This is clear if one considers the Registrar’s powers in LEARS:
- Section 57(1) states that “the Registrar General may, for the purposes of facilitating the carrying out of the functions of Health Boards, the Common Services Agency and local authorities, create and maintain…a register of individuals” (Note that these bodies can access the Register for any of their functions).
- Section 57(2) contains wide powers for the Registrar General to obtain “such information as the Registrar General may direct a Health Board or the Common Services Agency to provide for the purposes of the creation and maintenance of the register” and “such other information held by such persons, or persons within such descriptions, or contained in such places as may be prescribed”.
- Section 57(3)(h) allows the Registrar to use “such reference numbers relating uniquely to the person as the Registrar General may determine” (this means the Registrar has a relatively free hand to do whatever with the Unique Citizen Reference Number (UCRN)
- Section 57(4) allows the Registrar General to provide “Health Boards, the Common Services Agency, local authorities or such persons, or persons within such descriptions, as may be prescribed” such “information from a register as may be prescribed”. Such powers are subject minimal scrutiny.
- Section 57(5) then states that “the purposes for which information may be provided under subsection (4) are not limited to those referred to in subsection (1)”.
Section 60 and 61 of LEARS states that the Registrar General’s powers above are subject to the approval of the Scottish Ministers and to Parliament via a negative resolution procedure (i.e. the Scottish Parliament is presumed to have approved the changes but could vote against them). In other words, there is minimal Parliamentary scrutiny of the Scottish Executive.
Indeed, the Scottish Parliament did not make any criticisms concerning these wide-ranging powers in LEARS when they were granted.
Those who remember the Identity Card Act 2006 will recall the extensive powers for Ministers undermines the protection afforded by data protection. So if the Registrar uses powers to demand an item of personal data, for purpose X and for a fixed time, then the collection, use, retention and disclosure of those data all become lawful (see references where I go into this in detail).
Finally, one assumes that Scottish Ministers are fully approve of the Registrar General’s approach.
Concluding comments
In summary, transparency is needed is several areas. In addition:
- the consultation documentation fails to call its proposal a “population register” but that is what it is.
- the lack of identification of some basic data protection issues does not engender confidence in the Consultation’s proposals especially as no PIA has been published and the Article 8 position is uncertain to say the least.
- the use of wide-ranging powers to develop the detail of the functionality of the population register mirrors the case of the National Identity Register where the details were worked out later using executive power in an attempt to overcome issues.
- the Scottish proposal for identity assurance linked to a central register was rejected by the Cabinet Office for the rest of the UK as being too high risk; there is no explanation why a central register is not high risk for identity assurance in Scotland.
- the development of a Unique Personal Identifier and disclosures to the national security agencies, the police, HMRC, Ministry of Defence, UK Visas and Immigration and Prison Services, means that once a Scottish population register is established, the infrastructure can be developed quite easily to support ID Card functionality.
Scots should look hard at these proposals; they certainly don’t appeal to me at the moment. The scary prospect is that if a population register is established for Scotland, I am sure that the call would be for the rest of the UK to follow suit.
Resurrection of the National Identity Register would then be on the Cards.
References
Details of the current NHSCR: http://gro-scotland.gov.uk/national-health-service-central-register/index.html and http://gro-scotland.gov.uk/national-health-service-central-register/about-the-register/what-information-is-held-on-the-register.html
The proposals for a population register: http://www.scotland.gov.uk/Publications/2014/12/5990/downloads#res-1
Parliamentary processes associated with LEARS (shows the wide ranging powers did not attract much scrutiny): http://www.scottish.parliament.uk/parliamentarybusiness/Bills/24959.aspx
The Identity Assurance regime in the rest of the UK: see https://gds.blog.gov.uk/2014/01/23/what-is-identity-assurance/
How direct powers denude the protection afforded by the Data Protection Act: see from page 8 of http://www.amberhawk.com/uploads/surv1_website(2).doc
How Ministers reneged on public commitments that the National Identity Register (NIR) would not become a UK population register and mislead the UK Parliament and public as to the true nature of the NIR. Worth a read if you have a time as it is an insight as to how the Blair Government worked! http://www.amberhawk.com/uploads/consult_surveillance_constitution_appendix(7).doc
Thank you for posting this. Have you been in contact with your Councillors or MSP as it has been Xmas and New year so I don't know if they have been made aware.
Posted by: Alex | 14/01/2015 at 03:24 PM
Comments by the NHSCR governance board.
1.The PIA referred to in the minutes you mentioned is one worked on for the Beyond 2011 Programme. This considered options for the 2021 Census and concluded with a recommendation early in March 2014. The PIA was based on an initial consideration of options for the 2021 Census. A full PIA will done as part of the final 2021 Census programme. The use of NHSCR data in relation to the Census was part of the considerations hence the discussions at the NHSCR board about this.
As there was concern that the PIA that had been developed for B2011 included secure content (as suggested in the minutes) and as the B2011 Programme had concluded more quickly than expected the PIA was never made public but NRS are currently reviewing the contents in order to share this document with you as quickly as possible.
2.The minutes also refer to two compliance checks relating to NHSCR, which were published and the links are given below. We are also moving copies of these alongside the minutes on the website for ease of reference in the future.
These documents are "Use of NHS Central Register Data in the Scottish Longitudinal Study Report on privacy safeguards" (PDF 84 Kb) and "Use of NHS Central Register Data in the Production of Population and Migration Estimates Report on privacy safeguards" (PDF 84 Kb)
3.More generally, the NHSCR has been in existence since the 1950s and thus pre-dates the undertaking of PIAs. A PIA of the existing NHSCR in its entirety has therefore not been undertaken however the approach is to develop PIAs relating to new proposals as they emerge.
4.As you know Scottish Government have already published a PIA for the Myaccount element of the proposal in respect of which the consultation is being carried out. The current consultation (including your response) will inform the production and publication of new PIAs in respect of any future proposals regarding the NHSCR.
Posted by: AB on behalf of the Governance Board | 20/01/2015 at 05:40 PM
Many thanks for your most helpful comments. Just one or two issues by way of response:
1. Linked to these proposals, we have already had a national ID card infrastructure in place in Scotland for the past nine years. This is based on the so-called ‘pensioner bus pass’ (for older and disabled people) and the ‘Young Scot card’ (for youngsters), both properly referred to as the National Entitlement Card (NEC). See:
http://www.entitlementcard.org.uk
This card is effectively compulsory for most pensioners and disabled. For if you refuse to register for the card, you lose your entitlement to free bus travel.
This scheme was introduced in 2006 by the then Labour/Lib Dem coalition government in Holyrood, and there is little doubt that the multi-function ‘smart’ NEC card is in reality an ID card, with the underlying infrastructure, based around the UCRN number and an associated national register, directly paralleling what was being planned for the UK ID card. I have maintained information about these developments here:
http://www.jwelford.demon.co.uk/snec.html
2. In terms of how many people are currently registered in the NHSCR register, I would guess that it could be very high, and greatly in excess of the stated “approximately 30%”. I’m aware that around 40% of people are registered for NEC cards. But in addition, a very large number of people will most certainly be in there for having been born in Scotland and also having registered with a GP.
Note that this note from the NHSCR Governance Board, ‘the NHSCR and the Citizen’s Account’, dated October 2005:
http://www.gro-scotland.gov.uk/files1../stats/nhscrgb-4.pdf
explains how the NHSCR was to be populated and UCRNs created, viz:
- when people apply for a Citizens Account (i.e. essentially when they apply for an NEC card)
- when people born in Scotland submit registration details (after the creation of the Infrastructure)
- possibly prepopulated from the Scottish national birth register (still to be agreed at that time)
3. Like the introduction of the Poll Tax, Scotland was chosen as the guinea pig for the roll out of NEC cards in 2006. Two years later, very similar multi-function, smart ‘pensioner bus passes’ were introduced elsewhere in the UK by the Labour Government. So it is possible/probable that a similar underlying ‘national register’ infrastructure was put in place. I have provided a few details here:
http://www.jwelford.demon.co.uk/nec.html
Posted by: Dr John Welford | 20/01/2015 at 05:40 PM