Not content with selling off public services, is the government doing all it can to monetise us by means other than taxation by looking for ways of selling off aggregated data harvested from our interaction as users of public services?
For example, “Better information means better care” (door drop/junk mail flyer) goes the slogan that masks the notice that informs you of the right to opt out [how to opt out] of a system in which your care data may be sold on to commercial third parties, in a suitably anonymised form of course… (as per this, perhaps?).
The intention is presumably laudable – better health research? – but when you sell to one person you tend to sell to another… So when I saw this story – Data Broker Was Selling Lists Of Rape Victims, Alcoholics, and ‘Erectile Dysfunction Sufferers’ – I wondered whether care.data could end up going the same way?
Despite all the stories about the care.data release, I have no idea which bit of legislation covers it (thanks, reporters…not); so even if I could make sense of the legalese, I don’t actually know where to read what the legislation says the HSCIC (presumably) can do in relation to sale of care data, how much it can charge, any limits on what the data can be used for etc.
I did think there might be a clause or two in the Health and Social Care Act 2012, but if there is it didn’t jump out at me. (What am I supposed to do next? Ask a volunteer librarian? Ask my MP to help me find out which bit of law applies, and then how to interpret it, as well as game it a little to see how far the letter if not the spirit of the law could be pushed in commercially exploiting the data? Could the data make it as far as Experian, or Wonga, for example, and if so, how might it in principle be used there? Or how about in ad exchanges?)
A little more digging around the HSCIC Data flows transition model turned up some block diagrams showing how data used for commissioning could flow around, but I couldn’t find anything similar as far as sale of care.data to arbitrary third parties goes.
(That’s another reason to check the legislation – there may be a list of what sorts of company is allowed to access care.data for now, but the legislation may also use Henry VIII’th clauses or other schedule devices to define by what ministerial whim additional recipients or classes of recipient can be added to the list…)
What else? Over on the Open Knowledge Foundation blog (disclaimer: I work for the Open Knowledge Foundation’s School of Data for 1 day a week), I see a guest post from Scraperwiki’s Francis Irving/@frabcus about the UK Government Performance Platform (The best data opens itself on UK Gov’s Performance Platform). The platform reports the number of applications for tax discs over time, for example, or the claims for carer’s allowance. But these headline reports make me think: there is presumably much finer grained data below the level of these reports, presumably tied (for digital channel uptake of this services at least) to Government Gateway IDs. And to what extent is this aggregated personal data sellable? Is the release of this data any different in kind to the release of the other national statistics or personal information containing registers (such as the electoral roll) that the government publish either freely or commercially?
Time was when putting together a jigsaw of the bits and pieces of information you could find out about a person meant doing a big jigsaw with little pieces. Are we heading towards a smaller jigsaw with much bigger pieces – Google, Facebook, your mobile operator, your broadband provider, your supermarket, your government, your health service?
PS related, in the selling off stakes? Sale of mortgage style student loan book completed. Or this ill thought out (by me) post – Confused by Government Spending, Indirectly… – around government encouraging home owners to take out shared ownership deals with UK gov so it can sell that loan book off at a later date?
OUseful.Info, the blog... 
Hi. The relevant bits of legislation are scattered all over the place, but the one that is being used to force GPs to upload your medical records in identifiable form is indeed HSCA 2012 – buried down in Chapter 2 at sections 254, 256 & 259. Sneaky little interaction, eh?
Section 251 of the NHS Act 2006, referring back to Regulation 5 of the 2002 Act, are what gives the Secretary of State – who most people don’t realise is the ‘data controller in common’ of all our medical records – the power to set aside common law confidentiality and pass on patient records in identifiable form.
DPA is so flawed as to offer almost no resistance at all. And mounting an Article 8 HRA / ECHR defence is something that takes years, and a significant amount of money.
If you want to see who can get care.data, you only need look at NHS England’s latest application to expand the potential users and uses for care.data, which quite clearly states in its introduction:
“This addendum proposes that applications may be considered by the HSCIC from all organisations, subject to their eligibility as determined through the HSCIC’s governance processes. Such organisations may include research bodies, information intermediaries, companies, charities, and others.” – so basically anyone who can plausible fit their criteria.
See http://www.hscic.gov.uk/media/12864/caredata-addendum—Addendum-document/pdf/care.data_addendum_-_addendum_document_-_September_2013_(NIC-178106-MLSWX.A0913).pdf
Hi Phil – Thanks for that. Makes me think that there needs to be a “metanews” site that has links to the legislation behind the actions that reported in news stories…
One of the classes of organisations that jumped out at me from the NHS application was “information intermediaries” and the thoughts: a) what regulates the extent to which those intermediaries can blend this data with other data, and b) who are they acting as intermediaries for? I guess associated with that is what restrictions apply to the on-sharing and on-use of information fed forward from the information intermediaries?
Hi Tony, Phil,
I’ve been looking into this ever since the ‘leaflet’ hit my door mat with the rest of the junk mail! I have an interest in mental health, carers and patients privacy.
I’ve currently got a complaint with HSCIC over care.data programme and a rather arrogant and belittling Head of so called Information Governance, whom I spoke to at length. A senior HSCIC manager has also been discussing my complaint/concerns with me on a weekly basis. I’ve also spoken with managers in NHS England, CQC (Care Quality Commission), HRA – CAG (Health Research Authority – Confidentiality Advisory Group) and NHS Family Health Services about NHS Numbers (unique to individuals). Like you I’ve looked at H&SC Act 2012, also the bill’s passage/implementation, Data Prot Act 1998, roles of the following:- Secretary of State for Health, Health Minister, ISCG (Information Services Commissioning Group – Caldicott), HSCIC, CQC, HRA – CAG, NHS England, ATOS (services and IT) and of course the GP’s. All only from the care.data point of view, as all of them obviously do a lot of other stuff, some called patient care, funnily enough!
I’m trying to fit all these main responsibilities together and at the moment they seem to be easily slotting into place, from what I understand. These are my views – The Act was to change the NHS and provide capability of getting around the Data Prot Act, providing overriding authority over data distribution. ISCG – overseeing authority for and reporting directly to S of S, stakeholders review. HSCIC – care.data programme and rollout. CQC and HRA – suppliers and requesters regulation plus advisory roles (no teeth). GP’s – data controllers, responsibility for ensuring patients are informed (they had no choice, see Act), first point of contact for complaints and obviously the ‘point of blame’ if it goes wrong or data is leaked (typical Government diversion tactic)! This responsibility may pass onto HSCIC with the next release of care.data programme.
So, Tony I agree with you. There are huge information data risks (as stated in HSCIC plan). We have examples from the past where data has been sold on/leaked.
My main questions to HSCIC:
Why was the publicity/media campaign done so innocuously, leaflet title – ‘Better information means better care’, instead of perhaps ‘Important, Please Ensure You Read this – Changes to how your Medical/Health Records, held by your GP, are shared/distributed’? Why not via the GP (I was originally informed it was due to lack of GP resources) services direct to patients? After all surgeries and GP’s are now spending a lot of time answering patient queries on this! Why by patients ‘Objection’ (opt out) and not Agreement (opt in)?
What happened to the ‘patient information governance’ element of the NIGB (National Information Governance Board) role? They also independently governed suppliers and requesters as well as having advisory roles. The statute abolishment of NIGB on 31st March 2013 meant the statutory roles where passed onto CQC, in part HSCIC, and advisory roles passing onto Department of Heath and other bodies. CQC do not control the governance of patient information so where did this element go? Interestingly the Government actually state in the ‘ISCG IIGOP Terms of Reference’ that ‘This Government wishes to pursue it’s agenda of open data and transparency but recognises that independent scrutiny continues to be required’. To date I cannot find any ‘body’ that carries out this role (also regarding lawful disclosure of patient information) and patient involvement through ‘bodies/reps’. HSCIC did say ISCG have some kind of patient involvement but this isn’t governance/regulation.
Why allow any ‘body’ or third party to apply for data, subject to so called agreement/terms/contract? After all existing health bodies share other patient data anyway, with consent?
Why will the number of patient ‘objections’ per surgery be monitored by ISCG? Perhaps so individuals can be identified by the relevant objection codes and then responsibility will fall to GP’s to convince patients to withdraw their objection?
Hope you find this useful, like you not sure yet how to move this forward so individuals understand their real choice?
Regards
Stew