FOI Man wants a balanced and calm debate on sharing of personal data. Is that really too much to ask?

At the end of last week I posed two questions. Firstly, are we assuming the worst of any proposal to share data? And secondly, if this is the case, is it damaging to society?

I was aiming to start a debate, and to an extent I was successful. It generated a lot of heat, but for me at least, not much light.

Let me just reiterate what I was not saying. I wasn’t saying that it should be easier for organisations to share data. I wasn’t saying that the Data Protection Act or confidentiality law should be weakened. I wasn’t saying – necessarily – that I agree with any of the examples I gave, including the care:data programme (the plan that will allow a central NHS body to extract data about patients from GPs’ patient records, and then share that data with other approved bodies). My mind is open on this, which is why I wanted the debate – I wanted to be persuaded one way or the other.

The problem I have is that whilst there are lots of blog posts and newspaper articles telling us to opt out of care:data and describing the risks in emotive terms, I’ve seen very little explaining why, therefore, it is being done. Presumably if NHS England are pressing ahead with this, somebody is giving them alternative advice. Somebody thinks this sharing is legitimate. But I can’t find anything about this. I get told to opt out or my data will be sold to companies (though NHS England deny this, so what am I to believe?), and if I want to know more, I’m given a link to Mail Online (which obviously has a reputation for balanced reporting of these matters). Interestingly, none of these articles or posts appear to link to the relevant website provided by the Health & Social Care Information Centre. They all point to other articles which subscribe to the same view.

This is exactly what I was referring to in my last post – the debate about sharing of personal data is marked by hyperbole and polarised opinions. That’s not how I want to make my mind up about important issues.

A lot of the fault – probably most of the fault – for this lies with NHS England, who could, as has been pointed out, have communicated the aims and implications of this project far better. But a lot is down to the tone of the debate. Just raising the possibility that there is another side to the argument attracted pretty strong criticism.

I have friends outside the information rights profession (if there is such a thing) who don’t understand why there is such opposition to this proposal. Scientists in particular who can see the potential for life saving discoveries through analysis of data. To them this looks like scaremongering. These are not stupid people. They can be persuaded by reason and evidence. They’re not going to be persuaded by just telling them there are risks. They, like me, want to know all the arguments for and against, see the evidence, and then reach a reasoned decision.

At the start of next month I hope to attend a meeting of the National Association of Data Protection (and FOI) Officers. One of the speakers is a representative of MedConfidential who have been vocal in opposing care:data. I’ll be interested to hear what they have to say, but I’d really like to hear someone from NHS England or the Health & Social Care Information Centre give the other side before deciding whether to opt out and encourage others to do the same.




  1. Agree with you completely. The lack of information about why (and how) medical data is proposed to be shared is bemusing: the government should be conducting a mass education programme, rather than trying to sneak this through. In the absence of such information I will maintain the default position of “hands off my sensitive personal data” – I can always opt in later, when I’ve been reassured about security, and that this is not merely (or even partly) an attempt to monetize my information.

    If Tim Kelsey (or Mark Walport, or Ian Sample, etc) would like to come to the NADPO event, or speak at a future one, they’d be very welcome (I think we were going to invite Tim K to speak, but I’m not sure what the outcome of that was).

  2. I think it’s worth pointing out that your previous blog ended like this: “Contributing personal data to society is at least as important as paying our way financially. Data Protection shouldn’t be about saying “no” all the time.” This is not a call for a balanced debate or evidence of a completely open mind; this is taking one side in the debate and making the case for it. It’s a legitimate viewpoint, but it is not the same as being completely open and unbiased. I also think your emphasis on words like ‘evidence’ and ‘rational’ and ‘reason’ is a bit patronising: anyone interested in FOI knows that governments sometimes lie, they sometimes mislead, and they spin like mad. This may disappoint your scientist friends, but it isn’t irrational or unreasonable to go with your gut and decide you’d rather be left alone.

  3. I would say the ‘fault’ lies more with the Government / Secretary of State rather than the NHS as such, although NHS does make a ham fist of explainung the position and continues to blur the issue of consent.
    The root lies in the powers reserved to the Sec. of State under s251 of the NHS Act 2006 to override patient confidentiality where it is not practicable to obtain patient consent. NHS tries to explain this in its “General Practice Extraction Service Information Governance Principles” available at . This include some worthy but pointless principles such as “queries to extract data will be … publicised through a public website (as well as general information about GPES being made available through practices)”. Worthy as it is the absolute minimum, pointless in that having such a website which no “customer” will look at in practice. It is also slightly disturbing in the implication that publicity may take the place of consent.
    It also contains some dubious propositions such as “All data extracted from a practice by GPES will be … deleted from GPES data stores as soon as the data have been released to, and accepted by, customers.” I think I know what they mean, but am 100% certain they did not mean what they say – which somewhat erodes my confidence in their understanding of governance principles.
    But my first main gripe is the conflict between two of the principles on page 9:
    a) NHS Care Record Service patient choices, where adopted by general practice systems*, will be respected, so that no restricted information will be extracted; and
    b) Patient consent, Section 251 approval, or statutory justification will be required

    In particular if s251 approval is given are they seriously suggesting patient choice will override ? Since Sec. of State has been satisfied that obtaining consent would not be practicable why does consent have a role? On the other hand if the rules requires patient choice to be respected, the system must be able to record this, in which case it surely is always practicable “to achieve that purpose otherwise than pursuant to such regulations, having regard to the cost of and the technology available for achieving that purpose” – see s251(4) – and s251 is redundant.
    And that is just confidentiality. s251(7) also requires DPA to be respected. The rules here are subtly different from the law of confidentiality. Consent to waive confidentiality can sometimes be implied in a clinical setting (see Caldicott principles) but consent under DPA cannot be implied in the same way although it may be sidestepped by another condition in Schedule 3 or the Regulations.
    The above of course is as clear as mud and is probably not the real concern for most opponents. That consent is I suspect a simple lack of trust in government intentions and in government ability to keep control. I suspect that the position of many would therefore be something along the lines :
    So long as you tell me what you are doing, in simple terms, I would be quite happy in principle to let you use my personal data where it is necessary for (a) my clinical care; (b) medical research ; (c) improving the NHS generally but in practice I will not give you my consent because I do not believe you will prevent it being used for actions such as: (d) challenging my benefit claims; (e) allowing big pharma to make more profits ; (f) allowing insurers to do risk profiling ; (g) deciding if I am a terrorist; (h) chasing me for Income Tax; etc. etc. etc.

    * Do they mean to suggest practices have a choice NOT to adopt patient choices !!!!!!

    Phil Bradshaw

Comments are closed.