Like many, I did not know about the Ministerial Directions that require NHS Digital to create a national database of GP medical records until the indefatigable “Med Confidentiality” NGO raised its profile. In this blog, I will make some comments about data protection safeguards, most of them statutory, which appear to me to be missing.
NHS Digital, at the behest of the Secretary of State for Health, has been given Directions to take copies of medical records from all GP surgeries in England. As health policy is a devolved matter, these Ministerial Directions only apply in England (but I suspect other UK administrations will be watching carefully to see what happens).
According to the Specification associated with these Directions (see references for both) the data “…will be pseudonymised in the GP systems by the GP system suppliers before reaching NHS Digital” but “…NHS Digital will have the potential to re-identify this pseudonymised data upon the appropriate approvals as it will control the pseudonymisation keys”. The resultant pseudonymised dataset made available within the NHS and to Third Parties for a number of purposes mainly related to health, social care or research.
As NHS Digital can reverse the pseudonymisation process as required, there can be no claim that the personal data being processed are “anonymous”, although in the hands of some Third Parties (e.g. researchers), it may appear to them that they are processing anonymous data.
What are the purposes of the processing?
The Directions explain the intended uses of personal data as: “The purpose of these Directions (Purpose) is to enable NHS … to provide for the strategic collection, analysis and dissemination of General Practice data for health and social care purposes including but not limited to:
- health and social care policy, planning and commissioning purposes;
- public health purposes, including COVID-19 purposes as described in the COVID-19 Public Health Directions 2020 (as amended from time to time); and
- research”.
Missing from this non-exhaustive list of purposes are the purposes associated with disclosure of personal data by NHS Digital. Several of these can be found in Section 261 of the Health and Social Care Act 2012 and include: disclosure intended to protect the welfare of an individual; disclosure made to a body exercising public functions for the purposes of those functions (pretty broad that one!); disclosure which relates to the investigation of a crime, or where any other legislation permits disclosure (another broad category of disclosure).
In other words, use of the NHS Digital GP database is not limited to medical related purposes; personal data can be disclosed for non-medical purposes. As with the Electoral Roll, Census and other large public sector personal data collections, the NHS Digital GP database could be the target for other public bodies (e.g. the bulk personal data collecting powers of the national security agencies).
Is this privacy paranoia at its worst? Well no, because in Scotland, the Health Service database of patients – because of its accuracy of the address element– was intended to become the basis for a Scottish population register for general use and to support an ID card arrangement (see references).
What is the A.6 lawful basis for most processing?
Because Ministerial Directions are used, the lawful basis for the disclosure of pseudonymised medical personal data to NHS Digital will be A.6(1)(c):–“necessary for a legal obligation”. This choice of lawful basis thus engages the exemption in Schedule 2, paragraph 5(2) of the DPA2018 with respect to the disclosure from a GP surgery to NHS Digital; it can exempt all rights and the first two Principles in A.5 (e.g. the fairness, lawfulness, transparency and compatibility Principles).
With respect to this disclosure also, the right to object to the processing (A.21) and the right to erasure (A.16) are also automatically disapplied as the processing is necessary for a legal obligation. Any application of the consequential rights of restriction and notification (A.18 and A.19) are also disapplied (e.g. these rights apply if a controller were to be obliged to erase personal data following an objection).
This exemption is also available if NHS Digital were to be required by law to disclose personal data (this category of disclosure is in the list of disclosure purposes above).
Note that because the disclosure of pseudonymised medical personal data is deemed necessary for a legal obligation, any obligation of confidence to the data subject can be set aside; there is no need to consider data subject consent for the processing.
The choice of lawful basis is also likely to cover all purposes identified above (e.g. “health and social care policy, planning and commissioning purposes”) although other (non-consent) legal basis could be more appropriate (e.g. disclosure to Local Authority social work departments could also be necessary for its public task).
Patients can object to the above processing. Med Confidentiality advise that any opt-out should be exercised before the 23rd of this month because it should prevent any initial disclosure of an objecting patient’s medical records by the GP. However, NHS Digital state that a patient can tell his or her GP about the opt-out choice at any time, but clearly this could not have retrospective effect. Data subjects who do nothing have not opted out. [Note added 8 June: Ministers have announced today a delay to a patient's opt-out decision from 23 June to 1 September].
Note that this “opt-out” does not exist because of any data protection obligation; it exists thanks to Ministerial fiat which could be modified or reversed in future Directions.
Finally, Ministerial Directions, unlike the exercise of power by a Minister via secondary legislation, do not have to be subject to Parliamentary scrutiny nor do they have to made public and Directions can be expressed as a set of general objectives (e.g. for NHS Digital to obey).
Sadly, history informs that the use of Ministerial Directions to define lawful processing of personal data has been a recipe for unaccountability and secrecy. For example, it was the use of Directions made under the Telecommunications Act 1984 which, until the Snowden revelations, legitimised the bulk personal data collection capabilities of the national security agencies for over three decades (see references).
What are the A.9/Schedule 1 requirements?
With respect to overturning the prohibition placed on subsequent processing of health personal data via A.9(1) of the UK_GDPR, the obvious conditions to use relating to processing being necessary for a health and social care purpose, necessary in the public interest for a public health purpose or necessary for a research purpose where the research is in the public interest (paras 2 to 4 of Schedule 1 of the DPA2018).
So how are terms such as “public interest” and “necessary” assessed? As the ICO has not published detailed advice on how NHS Digital is to assess these requirements, it’s left to them to work it out. The Government in March appointed a new National Data Guardian; she has yet to pronounce on these Directions. In other words, there is a dearth of official regulatory guidance or commentary other than that published by NHS Digital itself.
With respect to research, there are other legal and ethical requirements set out in section 19 and Schedule 2, para 27 of the DPA2018 and in A.89 of the UK_GDPR but these are largely irrelevant to NHS Digital’s processing as described above unless, for example, a research purpose requires face to face contact with the patient as with a clinical trial (when patient consent becomes a factor).
The involvement of the private sector
Some NGOs have express considerable concern that private medical records, even pseudonymised, will be processed by high tech USA companies. The argument is that the involvement of private technology firms to handle NHS data undermines the “core values” of the UK’s public health system, or that there is a creeping privatisation of data assets which risks losing patient trust in the NHS.
In these cases, a lot will depend on the contract between NHS Digital and its contractors. Is the contractor, for instance, a controller rather than a processor; this was the issue when the Royal Free Hospital contracted with Google's Deep Mind (see references).
Additionally, in this case, there was a contract which used both “Data” and “Personal Data”. So does a contractual provision states something like: “we shall return or destroy all Personal Data at the end of the contract” be interpreted as “we are not obliged to return or destroy the Data associated with the contract”? If so, can those Data be retained by the contractor for its own commercial purposes?
In my view, these end of contract arrangements have to be published so they can be subject to public scrutiny. It should be clear what anonymous or pseudonymous personal data processed with respect to a NHS project is a contractor allowed to keep, if any, when the project finishes?
List of safeguards
I should make my position clear: I am at an age where many things are, shall we say, “going South”; if some or all of my medical records could help someone else then I am all for it. What I am not for, is my medical records being exposed to a set of shysters by accident or design. Sadly, there are many such shysters around in the high tech arena; recent press coverage about PPE tells us that some are friends with Governmental decision makers.
So in the context of the above, the missing statutory safeguards I would like to see implemented are as follows.
Specific legislation:
- to describe the opt-out of NHS Digital processing as a data subject right (i.e. the opt-out has to become independent of any future Ministerial edict);
- that links any opt-out to the right to erasure of personal data where the right of erasure extends to any other Third Party databases where there has been a disclosure of an objector’s personal data (i.e. if someone objects to NHS Digital then the personal data are deleted throughout any data sharing arrangement);
- that disapplies the exemption in Schedule 2, paragraph 5(2) of the DPA2018; (i.e. if there is a requirement for this exemption, it should be identified in legislation enacted after the creation of the centralised GP NHS Digital database);
- that disapplies any previous legal obligation which requires NHS Digital to disclose personal data for non-medical purposes (same reason as immediately above);
- that limits any data sharing by NHS Digital to medical related purposes;
- that requires transparency with respect to what happens to NHS data at the end of contracts (e.g. with USA high tech companies), and
- that permits the ICO or National Data Guardian to receive reports on any chosen processing activity.
Why do the above need to be statutory safeguards? Mainly because of the use of Ministerial Directions specify a legal basis that negates most of the list above.
Upcoming Data Protection Course
Because of Indian variant and the consequent COVID lockdown uncertainty, the following course can be attended in person or via Zoom or a mixture (it's up to you)
Data Protection Practitioner: London, Starts July 13 (6 days)
Full details on www.amberhawk.com/StandardDP.asp or by emailing info@amberhawk.com
References
NHS Digital Privacy Notice: https://digital.nhs.uk/data-and-information/data-collections-and-data-sets/data-collections/general-practice-data-for-planning-and-research/transparency-notice#opting-out-of-nhs-digital-collecting-your-data-type-1-opt-out-
Directions from the Secretary of State: https://digital.nhs.uk/about-nhs-digital/corporate-information-and-documents/directions-and-data-provision-notices/secretary-of-state-directions/general-practice-data-for-planning-and-research-directions-2021
Details of the data collection associated with the Directions: https://digital.nhs.uk/about-nhs-digital/corporate-information-and-documents/directions-and-data-provision-notices/secretary-of-state-directions/general-practice-data-for-planning-and-research-directions-2021#learn-more-about-this-direction
Blog on the wider use of the Scottish Health Data register to create a population register: https://amberhawk.typepad.com/amberhawk/2015/03/development-of-a-scottish-population-registerid-card-scheme-is-subject-to-ico-criticism.html and https://amberhawk.typepad.com/amberhawk/2015/01/proposals-to-expand-central-nhs-register-creates-a-national-population-register-and-significant-data.html
Blog on Royal Free Hospital and Deep Mind: https://amberhawk.typepad.com/amberhawk/2017/07/royal-free-undertaking-exposes-weakness-in-data-protection-enforcement-regime.html
Blog on the use of Ministerial Directions by the national security agencies to justify bulk data acquisition: Section 94 of the Telecommunications Act 1984: a warning from history. https://amberhawk.typepad.com/amberhawk/2015/11/section-94-of-the-telecommunications-act-1984-a-warning-from-history.html
Interesting. Came to a similar question set on installing the NHS app today and seeing some of the connections being made. The identity checking data was linking NHS number with NI number, and passport or driving licence. It also required a face identifying video clip as part of set up which did not appear to remain on my phone so presumably that data item is held in the apps database. It did have a consent step to share data, which I choose not to proceed with but of course I have no way of verifying if the data does or does not get shared.
Posted by: David Wyatt | 11/06/2021 at 02:52 AM