Software

'Biggest data grab' in NHS history stuffs GP records in a central store for 'research' – and the time to opt out is now

'More data, more breadth, more depth... it's the whole f&*king deal'


Updated The NHS is preparing for the "biggest data grab" in the history of the service, giving patients little information or warning about the planned transfer of medical records from GP surgeries in England to a central store for research purposes – and with no prospect of the data being deleted.

Campaigners and doctors have expressed alarm that such a wide-ranging data haul is in the offing when health services and patients are still swamped by the effects of the COVID-19 pandemic, with little time to focus on the details of data privacy.

The 55 million citizens of England will need to opt out of the involuntary scheme before it is introduced to prevent the entire history of their GP visits being slurped, campaigners told us. Opt-out forms are here [.docx]. We understand you will need to give this form to your GP practice before 23 June or your data held by your GP joins the central repository.

According to an official announcement on the NHS Digital website, data held in GP medical records will be collected via a new service called the General Practice Data for Planning and Research data collection. It will replace the General Practice Extraction Service (GPES), which has operated for over 10 years.

The new service comes with a broadened remit: the data will be used to "support the planning and commissioning of health and care services, the development of health and care policy, public health monitoring and interventions (including COVID-19) and enable many different areas of research."

The service will collect data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals, recalls and appointments, including information about physical, and mental and sexual health. It will also collect information about data on sex, ethnicity and sexual orientation, and data about staff who have treated patients.

NHS Digital said names and addresses, written notes, images, letters, and documents would not be collected. Nor would coded data that is not needed due to its age and coded data that GPs are not permitted to share by law.

Patient data from doctors' surgeries in England will be shared from 1 July 2021 unless patients opt out by 23 June 2021. Patients can also decide on a National Data Opt-out, which prevents NHS Digital sharing your collected data with third parties. To be clear, our understanding is that the earlier GP form means it is not sent from the practice to the central data repository.

But concerned patients will not know about the data grab and some doctors may not have had time to explain given the overwhelming focus on the pandemic.

I do not have any confidence the data will not be given to the private sector in the US

Dr Neil Bhatia, a Hampshire GP and information governance lead, told The Register it was the "biggest data grab" in the history of the NHS. "It is going to be a scramble. If you want to opt out, you need to do it now. [You] cannot change that [in] six weeks' time; you can only prevent new data going on the system. The health service is distracted with COVID. GPs are drowning. We would like to do something about it, but the government slips this out, and there is no going back."

NHS Digital said it had engaged with the British Medical Association, Royal College of GPs, and the National Data Guardian over the records collection. Campaigners noted that the press release carried no quotes from those organisations. NHS Digital said the data would "support a wide variety of research and analysis to help run and improve health and care services."

However, Dr Bhatia said patients may not know their information could be used by US companies planning to bid for work for the NHS. "I do not have any confidence the data will not be [given] to the private sector in the US. Nobody ever checks; once it is anonymised and outside GDPR, they can give it to who you like.

"The information may not identify you but it can be used in ways you are not happy about. It could be used by a company looking to buy up GP surgeries, for example. There is no granularity for how the data could be used.

"I like to think that the money [NHS Digital] gets will always be for the benefit of the NHS, but cynically, I think it will benefit the companies and be worth every penny to get a foothold in the market. Whether you think that is right or wrong, patients do have not control of data [going to that purpose]."

The NHS has been here before. In 2016, The Register revealed NHS England spent nearly £8m on its controversial care.data programme before scrapping it. The publicly hated programme was beset by delays and criticised by doctors and privacy campaigners over the haphazard way it would share sensitive medical data of citizens with commercial companies without explicit consent.

Phil Booth, coordinator for campaign group medConfidential, told us the latest scheme from NHS Digital was "even bigger than care.data."

"It's more data, more breadth, more depth, it's the whole record, not just prospectively. It's not excluding all of the really sensitive codes, the stuff which care.data wouldn't touch, it's the whole f&*king deal."

The combination of hospital data, GP data, and the capacity to link them together could create "the single most valuable data asset on the planet," Booth said.

He said the NHS had delayed the launch of the programme until the day after the Queen's Speech, a magnet for political news, "because they learned last time that it's the publicity that kills them."

medConfidential has produced a guide to opting out of the new data grab. It has also published a list of the types of data that will be extracted from GP records by the programme. These data points include sensitive details relating to divorce, criminal records, prison and probation, complaints about care, relationship abuse, and child abuse, and info on sensitive diseases, such as AIDS. The campaign group's full guide for patients is available here.

A BMA spokesman told The Register it had been engaged in the planning for this new collection over the past three years, and made representations on behalf of GP practices to ensure stronger arrangements were put in place over the security and intended uses of the data collected.

"GP data has a crucial role to play in research and planning which can improve public health, but it is important for patients and the public that this data is made available for appropriate purposes in a secure and trusted manner," the spokesman said.

"We are broadly supportive of the principles of the new collection in seeing fewer extracts of data and a reduced administrative burden for general practice."

It is important for patients and the public that this data is made available for appropriate purposes in a secure and trusted manner

The GP data grab comes 18 months after The Reg revealed details of a meeting between senior figures at numerous public-sector NHS bodies and UK heads of businesses at the likes of Amazon, Microsoft and AstraZeneca. They discussed ways to package the medical records of millions of British citizens.

The Health and Care Data Day hosted by NHS England in October 2019 involved the discussion of nine commercial models for a proposed medical record repository, which was estimated to be worth up to £10bn annually. The repo would include data from GPs and hospitals, mental health professionals, death and demographics registers, the private healthcare sector, prescription records, environmental and social statistics, and more.

This was described by NHS Digital in material handed out at the event, seen by us, as a "single, national, standardised, event-based longitudinal record for 65 million citizens within two years." It was intended to capture the "full journey of care from cradle to grave."

As was pointed out in late 2019, healthcare tech professionals are all for using data for research purposes though transparency and trust are key issues for the general public when sensitive medical data is being shared.

Joe McDonald, then Chief Clinical Informatics Officer for Great North Care Record, told us: "We have to be guided by citizens, not by government agencies and industry big players who see to profit from NHS data."

"We hope the lessons of Care.Data have been learned. I'm not sure what patient representation goes into current policy thinking. I suspect not enough," he added.

NHS Digital has argued that, once collected, the data could be available to “parties involved in the planning of the health and care system, and parties undertaking clinical research”. However, it has so far declined to comment on specific questions over whether these parties could include private sector companies scoping the NHS for commercial opportunities. ®

Updated at 1400 UTC to add

An NHS Digital spokesperson has told us:

Data is only shared with organisations who have a legal basis and meet strict criteria to use it for local, regional and national planning, policy development, commissioning, public health and research purposes.

They added: "All applications for access to this data must have a health or care benefit and cannot be for solely commercial purposes. NHS Digital will not approve requests for data where the purpose is for marketing purposes, including promoting or selling products or services, market research or advertising.

"Applications from commercial organisations are very carefully scrutinised to ensure the purposes of any access are appropriate and benefit health and care. Requestors will only be able to access the minimum data required to meet their specific approved health and care purposes and are subject to contractual data sharing agreements."

Send us news
223 Comments

Japan plans remote-controlled robotic space tourism to the ISS and beyond

'Avatars' that roam around space station, or do work with high performance hands, to be controllable from the ground

The International Space Station is getting mobile robot “space avatars” controllable by the public from Earth, courtesy of a joint project between the Japan Aerospace Exploration Agency (JAXA) and ANA Holdings’ telepresence start-up avatarin.

The project will create a virtual remote space tourism experience aimed at those who can't afford to hitch a ride with Jeff Bezos or Richard Branson.

JAXA’s press release reads:

Continue reading

SSD belonging to Euro-cloud Scaleway was stolen from back of a truck, then turned up on YouTube

Has since been recovered, and Scaleway now ships disks with GPS trackers

It sounds like a "dog ate my homework" excuse for the cloud age, but Euro-cloud Scaleway says one of its solid-state disks was stolen from a truck, turned up in the hands of a YouTuber, and has now made its way back home.

A Saturday post by CEO Yann Lechelle revealed that over a year ago, a disk was stolen while in transit between two Scaleway data centres.

The disk disappeared, and Scaleway warned clients about the incident.

Continue reading

Private cryptocurrencies make lousy national currencies: International Monetary Fund

But the idea of blockchain-powered money is worth government consideration

The International Monetary Fund has called on nations to consider using blockchain tech to improve financial services, but warned that dabbling with private cryptocurrencies is vastly risky.

A Monday post titled Cryptoassets as National Currency? A Step Too Far opens by stating "New digital forms of money have the potential to provide cheaper and faster payments, enhance financial inclusion, improve resilience and competition among payment providers, and facilitate cross-border transfers."

But the post notes that some nations are considering they could access those benefits with the shortcut of adopting cryptoassets as either legal tender, or even "a second (or potentially only) national currency".

Continue reading

Apple patches zero-day vulnerability in iOS, iPadOS, macOS under active attack

Characteristically mum about details

Apple on Monday patched a zero-day vulnerability in its iOS, iPadOS, and macOS operating systems, only a week after issuing a set of OS updates addressing about three dozen other flaws.

The bug, CVE-2021-30807, was found in the iGiant's IOMobileFrameBuffer code, a kernel extension for managing the screen frame buffer that could be abused to run malicious code on the affected device.

CVE-2021-30807, credited to an anonymous researcher, has been addressed by undisclosed but purportedly improved memory handling code.

Continue reading

Bezos offers to knock $2bn off his bill to NASA to stay in the running for Moon contract

It's not a bribe when it's a payment waiver

Blue Origins supremo Jeff Bezos has offered NASA a $2bn discount to keep his dream alive of transporting the next American man and first woman to the Moon's surface.

Earlier this year, the contract for the Human Landing System (HLS), the craft that will put a crew on the Moon as part of NASA’s lunar Artemis program, was solely awarded to SpaceX. Blue Origin and Dynetics complained to the US Government Accountability Office (GAO) that this was unfair: in their mind, NASA was reneging on a promise to keep the process of selecting a lander competitive by just defaulting to SpaceX.

NASA later retracted its decision to side just with Elon Musk's SpaceX. Blue Origin essentially wants to stay in the race to produce a lander for the Moon mission, and has made a bunch of offers to NASA to make that happen.

Continue reading

Dell won't ship energy-hungry PCs to California and five other US states due to power regulations

Energy efficiency rules appears to be limiting the availability of gaming rigs

Dell is no longer shipping energy-hungry gaming PCs to certain states in America because they demand more energy than local standards allow.

Customers seeking to purchase, for example, an Alienware Aurora Ryzen Edition R10 Gaming Desktop from Dell's website and have it shipped to California are now presented with a message that tells buyers they're out of luck.

"This product cannot be shipped to the states of California, Colorado, Hawaii, Oregon, Vermont or Washington due to power consumption regulations adopted by those states," the website says. "Any orders placed that are bound for those states will be canceled."

Continue reading

You, too, can be a Windows domain controller and do whatever you like, with this one weird WONTFIX trick

Microsoft offers some mitigations for thwarting PetitPotam attacks

Microsoft completed a vulnerability hat-trick this month as yet another security weakness was uncovered in its operating systems. And this one doesn't even need authentication to work its magic.

The security shortcoming can be exploited using the wonderfully named PetitPotam technique. It involves abusing Redmond's MS-EFSRPC (Encrypting File System Remote Protocol) to take over a corporate Windows network. It seems ideal for penetration testers, and miscreants who have gained a foothold in a Windows network.

Specifically, security researcher Gilles Lionel found it was possible to use MS-EFSRPC to force a device, including Windows domain controllers, to authenticate with a remote attacker-controlled NTLM relay. The end result is an authentication certificate that grants the attacker domain-controller-level access to services, allowing them to commandeer the entire domain.

Continue reading

Google updates timeline for unpopular Privacy Sandbox, which will kill third-party cookies in Chrome by 2023

'The W3C doesn't get to be the boss of anyone, the decisions are going to be made at each of the browsers'

Google has updated the schedule for its introduction of "Privacy Sandbox" browser technology and the phasing out of third-party cookies.

The new timeline has split the bundle of technologies in the Privacy Sandbox into five phases: discussion, testing, implementation in Chrome (called "Ready for adoption"), Transition State 1 during which Chrome will "monitor adoption and feedback" and then the next stage that involves winding down support for third-party cookies over a three-month period finishing "late 2023."

Although "late 2023" might sound a long way off, the timeline has revealed that "discussion" of the contentious FLoC (Federated Learning of Cohorts) is planned to end in Q3 2021 – just a couple of months away – and that discussion for First Party Sets, rejected by the W3C Technical Architecture Group as " harmful to the web in its current form," is scheduled to end around mid-November.

Continue reading

Remember the bloke who was told by Zen Internet to contact his MP about crap service? Yeah, it's still not fixed

Fear not! Issue is at the 'highest level of escalation,' says ISP

A broadband customer from Leatherhead, Surrey, who was told to "speak to your MP" after his ISP failed to resolve repeated line disconnections has now been informed he can leave his contract without penalty after Openreach failed to resolve the problem.

Alan Brown, a network manager at a Russell Group University, got in touch with us in February exasperated at the poor service he was experiencing and the contradictory information he'd received from his ISP, Rochdale-based Zen Internet, and Openreach engineers.

On one day alone he told us he'd experienced no fewer than 28 breaks in service.

Continue reading

South Korea reports export boom in silicon, wireless comms, and instant noodles

Makes sense really

Newly released data suggests South Korea is having a silicon and instant noodle renaissance, both thanks to COVID-19.

The south side of the nation had a great month for exports as the daily average for the first 20 days of July grew by 32.8 percent year-on-year. Data released by the Korea Customs Service detailed a year-on-year increase in semiconductors by 33.9 per cent, wireless communication by 68.1 per cent, and industrial precision equipment by 15.1 per cent. Meanwhile, figures decreased for computer peripheral equipment by 7.8 per cent.

The increases are welcome news to many given the pandemic-related supply issues seen globally last year and this, specifically those in the semiconductor industry.

Continue reading

Brit reseller given 2022 court date for £270m Microsoft SaaS licence sueball's first hearing

End of March for ValueLicensing's jurisdictional defence

British software licence reseller ValueLicensing has a trial date for the first part of a £270m legal showdown against Microsoft after accusing the US behemoth of breaking UK and EU competition laws.

A High Court hearing of Microsoft's attempt to strike out ValueLicensing's case will take place on 30-31 March 2022, the British company announced in a statement today.

Jon Horley, founder and MD of ValueLicensing, said: "This High Court claim covers the damage to our business through Microsoft's abuse of its dominant market position, effectively destroying the pre-owned software market for desktop products. We are not the only victim to have suffered loss as a result of Microsoft's anticompetitive activity since 2016."

Continue reading