NHS Digital's demise bad for 55 million patients' privacy – ex-chairman

IT and data arm now part of NHS England, which could be pressured into data sharing without proper oversight

Ten months after attempts first began to extract the medical information of 55 million citizens in England, NHS Digital's former chairman is warning the merger of the agency with NHS England threatens the privacy of people's personal data.

The view was that if a patient had chosen to use the NHS they had implicitly agreed that their data could be used for the benefit of the NHS

Writing in trade publication the British Medical Journal, Kingsley Manning said health secretary Sajid Javid's decision to merge NHS Digital into NHS England and NHS Improvement last year was a "retrograde step not least in the context of this government's clear intent to weaken the constraints on the use of patient data."

Founded as the Health and Social Care Information Centre (HSCIC), IT and data arm NHS Digital received direction from NHS England, the central health service body charged with executing government policy in the NHS and paying health service providers.

However, NHS Digital could use its discretion to not comply with a direction from NHS England to collect data and to establish specific information systems.

"Doing away with an independent statutory body in NHS Digital, charged with defending patient rights, is itself, unfortunate. But handing that body and its powers to NHS England, is a grave error," Manning said of the move.

We love our NHS

'Biggest data grab' in NHS history stuffs GP records in a central store for 'research' – and the time to opt out is now


"In effect, NHS England will be able to decide that its legitimate interest override those of the citizen and the patient, with little or no external constraint or scrutiny. With no requirement for transparency and indeed with additional barriers to citizens asking for information about the use of their data, individuals may never know what NHS England chooses to do with their data. And this matters," the BMJ article said.

"In my experience, the general approach of NHS England, including of its clinicians, was that much of the guidance and regulations with respect to the use of patient [data] was seen as unnecessary. The view was that if a patient had chosen to use the NHS they had implicitly agreed that their data could be used for the benefit of the NHS," Manning said.

Such concerns might ring alarm bells with privacy campaigners. Last July, NHS Digital announced its second delay to what had been called the biggest data grab in NHS history of 55 million Englander's health records, and introduced new caveats to the extraction of personal medical information from GP systems.

The final, indefinite delay followed outcry from privacy campaign groups and concern from the medical profession who argued patients might not have knowledge of how their data would be used and shared if it had been automatically extracted from GP systems.

NHS England has its own track record with handling patient data. Last year, the National Data Guardian declined to endorse NHS England's effort to be transparent by publishing details on data flows from a patient information project that put US spy-tech firm Palantir at the heart of the government's response to the pandemic.

The COVID-19 data store was launched in March 2020 and aimed to pull together medical and operational data about the spread of the virus.

Campaigners had to force the government to publish details of the companies contracted to support the project – AWS, Microsoft, Google, Brexit-linked analytics firm Faculty, and Palantir, whose technology has been employed by the CIA and controversial US immigration agency ICE.

Manning said NHS Digital was established to provide an element of protection. "If it is to disappear then what is required is to put in place robust, external, independent scrutiny of NHS England. This could be through giving the currently toothless National Data Guardian effective powers of oversight. There should also be a statutory requirement of transparency," he said.

Without proper oversight, efforts to use health data in a responsible way for the right reason might be lost because of a lack of public trust in the system.

"The demise of NHS Digital will go unnoticed by the vast majority of the population. But its absorption into NHS England is a step in the wrong direction, signalling a policy approach which not only challenging the basic right of patients with respect to their own data but may also, ultimately, prove self-defeating," Manning said.

The Register has contacted NHS England for a response to the article. ®

Other stories you might like

  • There are 24.6 billion pairs of credentials for sale on dark web
    Plus: Citrix ASM has some really bad bugs, and more

    In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

    Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

    Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

    Continue reading
  • £11.5b in 10 years: UK's government cloud services unit G-Cloud
    50% of public sector tech budgets in the cloud by 2015? Well that didn't happen!

    British readers who have only recently packed away the bunting commemorating the Platinum Jubilee of Queen Elizabeth II have been offered reason to get it out again by Crown Commercial Services, which is offering up the 10-year anniversary of G-Cloud as a cause for celebration.

    The procurement wing of the Cabinet Office has also said that the commercial arrangement for aggregating demand for public-sector cloud consumption had netted £1.5 billion ($1.83 billion) in benefits for public sector customers.

    Crown Commercial Services did not show its working on how it arrived at the calculation, and has yet to respond to The Register's questioning on the matter.

    Continue reading
  • Healthcare organizations face rising ransomware attacks – and are paying up
    Via their insurance companies, natch

    Healthcare organizations, already an attractive target for ransomware given the highly sensitive data they hold, saw such attacks almost double between 2020 and 2021, according to a survey released this week by Sophos.

    The outfit's team also found that while polled healthcare orgs are quite likely to pay ransoms, they rarely get all of their data returned if they do so. In addition, 78 percent of organizations are signing up for cyber insurance in hopes of reducing their financial risks, and 97 percent of the time the insurance company paid some or all of the ransomware-related costs.

    However, while insurance companies pay out in almost every case and are fueling an improvement in cyber defenses, healthcare organizations – as with other industries – are finding it increasingly difficult to get insured in the first place.

    Continue reading

Biting the hand that feeds IT © 1998–2022