Tag Archives: data protection

Phishing, e-commerce and retail


Britain is targeted by up to 10,000 cyber attacks per hour, making it a business imperative for organisations to strengthen their data security systems and processes.

Retail and financial services websites are at the highest risk from attack, and Christmas – with a projected online spend of £17.4bn** – is the most popular time of year for cyber criminals.

A Google study from a couple of weeks ago made an astonishing statement:

Phishing stats 45%

This is a particularly worrying statistic given that data security breaches carry a huge cost – both to reputation and financially.

phishing stats Nov 2014

The costs of a breach increase every year, and will inevitably continue to rise as new legislation comes in with greater powers to the ICO.

So it’s time for retailers to make sure their staff don’t fall into the 45% of successful phishing attacks, and understand how to minimise security risks to the business.

Christmas Offer

25% Christmas Discount

Data Compliant  provides data security training workshops for companies who want their employees to understand how to keep their data secure.

2-hour security workshops for up to 10 attendees per session are available from January 5th 2015.  The usual cost is £1,100*.  Within the workshop, we’ll demonstrate how to recognise and avoid phishing attacks.

Any organisation making a firm booking for a data security workshop before 23rd December will receive their 25% discount – ie a reduction in cost from £1,100 to just £825.*

For more information or to book your workshop, call 01787 277742 or email victoria@datacompliant.co.uk

* Stats taken from UK 2014 Information Security Breaches Survey – Department for Business Innovation and Skills

**stats from internetretailing.net

* Costs exclude VAT and expenses.


CCTV Data Protection Guidelines from ICO

drone delivering parcelClearly surveillance has both benefits and drawbacks, and the level of public interest and debate about both is increasing. Technology is advancing swiftly, and surveillance cameras are no longer simply passively recording and retaining images. They are now also used proactively to identify people of interest, to keep detailed records of people’s activities both for social (eg schooling, benefits eligibility) and political (eg terrorist) reasons.

There’s a real risk that, despite the benefits, use of CCTV can be very intrusive.

The ICO’s new CCTV code of practice continues its focus on the principles that underpinned the previous code of practice. However, it has been updated to take into account both the changes in the regulatory environment and the opportunities to collect personal data through new technology.

There is some fascinating information in the guidelines – specifically around some of that new technology, where three of the key recommendations are:

  • Privacy Impact Assessments – a requirement that involves ensuring that the use of surveillance systems is proportionate and addresses a pressing need (see the
  • Privacy Notices / Fair processing – a key issue for many of the new technologies is finding creative says of informing individuals that their personal data is being processed – particularly where such processing is simply not obvious.
  • Privacy by design – for example, the ability to turn the recording device (audio and / or sound) on and off as appropriate to fulfil the purpose; the quality must be high enough to fulfil the purpose; the use of devices with vision restricted purely to achieve the purpose

The new technology specifically covered in the guide includes:

Automatic Number Plate Recognition (when to use it, data storage, security issues, sharing the data and informing individuals that their personal data is being processed – something of a challenge needing some creative thinking);

Body Worn Video (warnings against continuous recording without justification; the use of BWV in private dwellings, schools, care homes and the like – and, again, the thorny issue of informing subjects that they are being recorded);

Unmanned Aerial Systems drones are now increasingly used by businesses as well as the military (Amazon has stated its intention to use drones to deliver parcels …). Some of the key issues are privacy intrusions where individuals are unnecessarily recorded when the drone has some other purpose; the distinction between domestic and commercial use; providing justification for their use; the ability to switch the recording system on and off; the whole system of data collection, storage, accessibility, retention periods and disposal requires compliance.

Automated recognition technologies are increasingly used commercially to identify individuals’ faces, the way they walk, how they look at advertising and suchlike. Again, the issues of fair processing, degree of accuracy of images and their identification, storage, retention, transfer, disposal and security are all key to compliance.

If you are using surveillance devices to view or record and / or hold information about individuals, then it’s worth noting that such use is subject not only to the Protection of Freedoms Act (and its Surveillance Camera Code of Practice), and the Data Protection Act, but you also need to consider your obligations under The Freedom of Information Act 2000 and the Human Rights Act 1998.

If you have any concerns about your data compliance in general or your surveillance camera compliance specifically, contact us on 01787 277742.  Or email victoria@datacompliant.co.uk


Surveillance Camera Code of Practice – 12 Principles

security cameraDo you use a surveillance camera system within your organisation?  If so, it’s worth noting that the Surveillance Camera Code of Practice must not only comply with the Data Protection Act and its 8 Principles, but also provides its own 12 guiding principles:

  1. Purpose: Use of a surveillance camera system must always be for a specified purpose in pursuit of a legitimate aim, and necessary to meet an identified pressing need
  1. Privacy Impact: Use of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified
  1. Transparency: There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints.
  1. Accountability: There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.
  1. Policies and procedures: Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them
  1. Relevance and Retention: No more images and information should be stored than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once their purposes have been discharged
  1. Access to retained images and information should be restricted. There must be clearly defined rules on who may gain access for what purpose; the disclosure of images and information should only take place where it is necessary for such a purpose or for law enforcement purposes
  1. Standards: Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose, and work to meet and maintain those standards
  1. Security: Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.
  2. Audit: Effective review and audit mechanisms should be in place to ensure legal requirements, policies and standards are complied with in practice.  Regular reports to be published.
  3. Public Safety: When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.
  4. Accuracy: Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date.

If you have any concerns about your data compliance in general or your surveillance camera compliance specifically, contact us on 01787 277742.  Or email victoria@datacompliant.co.uk


Data Protection and the ICO

Data privacy

Data Protection Complaints 2013 – 2014

Yesterday I read that the Information Commissioner’s Office handled 259,903 calls to its helpline and has resolved 15,492 data protection complaints last year. This is an increase of 10% over the previous year.  And here’s another staggering figure – the ICO received 161,720 reports from people about spam texts and nuisance calls.

Half the total complaints received related to “subject access”, with a range of organisations about whom complaints were made, including lenders, local government, educational providers and local health providers.

The importance of data protection in business

Organisations and businesses can no longer ignore the importance of data protection governance, compliance and security – they now have no choice but to understand and meet their regulatory requirements to avoid the penalties of non-compliance.  Last year’s attitude to and handling of ‘subject access requests’ is a perfect illustration of the current complacency seen among some data users.

The sheer volume of personal data being collected physically and digitally every day is multiplying at an extraordinary rate and organisations are continuing to find ever more complicated ways of using data.  Use of big data continues to develop with organisations trying to navigate their way through woefully outdated legislation.

The importance of the ICO

As a result, the data protection challenges to business, the consumer and the ICO are spiralling. It’s increasingly important for the data subject to know that a strong, independent body – which means the ICO – can be trusted to keep watch and offer protection.

With this increase in volume and demand, it’s hardly surprising that the ICO is calling for greater powers, greater independence, and additional funding.

Funding is a particularly difficult area as the EU data protection reforms currently propose the removal of the notification requirement and accompanying fees that fund the ICO’s DPA work. Lack of funding will inevitably give rise to cuts in the services provided by the ICO – for example, it has no legal obligation to provide a helpline, and reduced funding makes it unlikely to be able to continue to handle its current – let alone future – volumes of calls a year.

So it’s absolutely vital not only to individuals but also to businesses, organisations, government and the ICO itself that necessary resource, funding, independence and evolving powers are provided to allow the Information Commissioner to continue to protect, update and enforce data protection legislation.

ICO’s internal data security breach

However, it is somewhat unfortunate that at the time the ICO is asking for greater funding, independence and stronger powers, they are also admitting to their own “non-trivial” data breach. The incident was treated as a self-reported breach and was apparently investigated and treated no differently from similar incidents reported to the ICO by others. After an internal investigation the ICO concluded that the likelihood of damage or distress to any affected data subjects was low, and that it did not amount to a serious breach of the Data Protection Act. A full investigation was carried out with recommendations made and adopted.

However, later information suggests that this breach is now linked to a criminal investigation. So the breach investigation has not, seemingly, been closed.

Data Compliant


If you have any concerns over data protection compliance or security, don’t hesitate to get in touch – call 01787 277742 or email victoria@datacompliant.co.uk



Data Compliance and Cloud Computing

It’s clear that the innovative and accessible technical services provided by cloud computing are increasingly being selected and used by businesses.  And there are good reasons for doing so – not least accessibility, cost, reliability, resilience, and innovative products.  However, there are also risks to data protection which data controllers need to consider and be sure that such their cloud processing activity complies with the Data Protection Act.

What is cloud computing?

Cloud computing covers a broad range of services and technology, but the Information Commissioner’s Office (ICO) defines it as:

“access to computing resources, on demand, via a network”

To explain:

Resources include storage, processing, software

On Demand simply means that the resources are available to the customer or user on a scalable, elastic basis, typically through virtualised resources

Via a Network refers to the transit of data to and from the cloud provider, which may be over a local or private network, or across the internet.

The Data Protection Act (DPA) and Cloud Computing

All operations involving personal data that take place in the cloud – including storage – must comply with the DPA, and it is the data controller who has ultimate responsibility for that compliance.

However, if layered cloud services are being used (eg different cloud providers of software, platforms or infrastructure) then it’s quite possible that there will be a number of data controllers and data processors working together to deliver services which included processing personal data.

The cloud customer is most likely to be the data controller, and will therefore have overall responsibility for complying with the DPA.  However, depending on precisely the role of the cloud provider, the customer must assess whether the cloud provider is simply a contracted data processor or is, indeed, a data controller in its own right – which may be the case if a cloud provider in any way determines the purpose(s) for which the personal data are to be processed. In this case the cloud provider will be responsible for its own data protection compliance.

12 Cloud-specific DPA Considerations

Data Compliant Cloud considerationsThere are some specific considerations for data controllers who have moved or are considering moving personal data to the cloud.  Below are twelve:

  1. What personal data is to be processed (and how) in the cloud, and what are the inherent data protection risks
  2. What steps can be taken to mitigate those risks (eg authorisation protocols)
  3. Who is the data controller
  4. What additional personal data may be collected in the cloud (eg usage stats, transaction histories of users and other such ‘metadata’)
  5. Does the cloud customer’s privacy policy provide adequate information about processing data in the cloud
  6. Does the cloud customer need to run a privacy impact assessment to identify any privacy concerns and address them from the beginning of the process
  7. Does customisation of an existing cloud service cause any additional privacy risks
  8. What monitoring, review and assessment requirements between cloud customer and cloud provider should be put in place to ensure the cloud service runs as expected and to contract
  9. What commitment does the cloud provider have to keep the cloud customer informed in the event of changes in the chain of sub-processors taking place during the provision of the cloud service
  10. A written contract is required by the DPA between the data controller and the data processor – beware of a cloud provider which offers terms and conditions with no opportunity for negotiation.  The risk that those terms and conditions may subsequently change needs to be taken into consideration.
  11. The data controller is responsible for the security of its data processor – assessment of the security of the cloud provider is mandatory
  12. Data outside the UK / EEA – the data controller must check the countries where data is likely to be processed and satisfy itself that the relevant security arrangements are in place

8 Essential Policies and Processes

Cloud with lock on white background. Isolated 3D imageAny business will benefit from formal, documented policies and procedures.  Having made a decision to use cloud services, there are some specific requirements that are particularly important from a personal data compliance perspective:

  1. Access control – the data is, by the nature of cloud computing, accessible from any location – home, the office or on a range of devices.  Sufficient measures need to be put in place to prevent unauthorised access to the data
  2. Authentication processes – to verify that a cloud user is authorised to access the data
  3. A system is required to create, update, suspect and delete user accounts
  4. Leaver protocols need to be put in place
  5. Data retention and deletion policies are required – consider your cloud provider’s deletion issues across multiple locations and back-ups
  6. Cloud provider access policies need to be in place for occasions when the cloud provider needs access in order to provide services
  7. Staff training on cloud processes and controls is required to maintain the security of the cloud service
  8. Regular audits of procedures and policies in place will help ensure ongoing compliance

The cloud is here to stay.  If you’d like any information or have any concerns about your own cloud provider contracts, policies or compliance issues, please don’t hesitate to contact us:


01787 277742

Data protection breaches make great news stories …

breach and bad publicity June 2014

I read today that the BBC is in trouble for “lack of transparency” after it apparently rejected 17.9% of requests for information under the Freedom of Information (FOI) Act, and answered fully only 35% of FOI requests.

Bad press causes rise in volume of FOI requests

Much more interesting to me is the information that the number of FOI requests received by the BBC rose by almost a quarter to just under 2,000 during the 2-year period from 2011 and 2013.  The timing of the rise directly coincides with various scandals including the Jimmy Savile investigation, the profligate spending of £100 million on the disastrous digital archive project and the uproar over the extravagant pay-outs to departed senior executives.  Not, I think, a coincidence.

All publicity is good publicity …

Some claim that all publicity is good publicity. This is simply untrue.  Take data breaches for example. The frequency of data compliance and security breaches is leading to growing press interest and coverage, which in turn is rapidly educating the general population – ie the data subjects (and that’s you and me). And when huge players like eBay and Morrisons are affected – well, breaches of that magnitude become a dripping joint to the media.  The news spreads like wildfire, causing further lack of confidence that big companies have any respect for our privacy or personal data.

So as data subjects, we are more likely than ever to demand that organisations account for the way in which they handle and use our personal data; and to take steps to understand the data held about us and how it is used.  Subject access requests are a case in point, and a well-publicised data security or compliance breach inevitably results in increased subject access requests.

Worse yet, many businesses still don’t know what their legal obligations are once a subject access request is received – which means they run the risk of a further potential breach.

Subject Access Requests (SARs)

Individuals are perfectly entitled to request a copy of the personal data an organisation holds on them.  Once an SAR is received, generally the organisation has a maximum of 40 days to respond and provide the information.  Most business can charge a fee of up to £10 for provision of the data – more complex requests, such as those received by schools and the NHS use a sliding scale up to a maximum of £50.  Every company should have a documented Subject Access Request policy, and keep records of SARs received, and the way – and timescale – in which they have been handled.

If you have any concerns about SARs specifically, or your data governance, data compliance or data security in general, we’ll be happy to have a chat or answer your queries.  Just call us or email victoria@datacompliant.co.uk

More delays to the European Data Protection Regulation?

European Data Protection RegulationIt is becoming increasingly difficult to say when the European Data Protection Regulation will come into force.  The legislation is currently at the point where three-way negotiations need to take place between the Justice and Home Affairs Ministers, the European Commission and the European Parliament to finalise the text .  It was broadly anticipated that the draft EU Data Protection Regulation would be passed later this year, making it law in the UK by 2016.

However, the recent European elections and new parties now represented in the European Parliament may impact the timescale of the passing of the Regulation and delay it even until early 2015, in which case it would become UK law in 2017.  The new Parliament now needs to elect the MEPs to take part in the three-way negotiations, and reappoint members to its various committees etc to reflect the changes in party strength.

One of the interesting issues is that Viviane Reding has just been elected as MEP.   In her role as Justice Commissioner, she has been an extraordinary force for the development and implementation of the DP Regulation.  But as an MEP she will need to step down from her current role, and there is no guarantee that the new Justice Commissioner will be as driven in terms of getting the legislation passed.

So it is somewhere between difficult and impossible to determine when the European Data Protection Regulation will come into force in the UK, but it is increasingly unlikely to be before early 2017.

What has been clear since March, however, is that the legislation is coming, and businesses will benefit from being ready for the changes that it will bring.  If you’d like any help assessing your readiness for the upcoming legislation, please contact Data Compliant on 01787 277742

Data Security – Microsoft Office XP and 2003

8 April 2014On 8 April 2014 , office support for Microsoft’s Windows XP and Microsoft Office 2003 will come to an end.  Not the end of the world, you’d think, but if your organisation keeps personal information on those versions, this is a significant problem.

Though PCs will continue to run, the issue is that Microsoft will not be providing any further updates or fixes to these products. This means that in the event of any security flaw, your system will be vulnerable, and so in turn will any personal data you hold.

It is inevitable that, over time, attackers will increasingly find the vulnerabilities within these products, which will provide them with more and more opportunities to access and manipulate your systems.  To prevent the risk of personal data breaches in these circumstances, the best advice is to migrate to a supported system before the deadline of 8th April.

It’s not just Microsoft where stopping system support is an issue – the same is true of other providers who do not support their systems.  So it’s well worth making sure that you and your organisation have ‘appropriate technical organisational measures in place to keep individuals’ personal data safe.

Failure to do so puts you in breach of the Data Protection Act, and the ICO has the power to levy a fine of up to £500,000 to any organisation whose failure to comply with the DPA has led to serious issues of data security.

The size of fine varies enormously depending on the scale and potential damage caused by the breach.  For example the ICO has recently fined the British Pregnancy Advice Service £200,000 after a hacker obtained thousands of individuals’ personal details due entirely to poor data security.  And, on a smaller scale, the owner of a loans company, Jala Transport, was fined by the ICO after his car was broken into.  The thief stole £3,600 and a hard drive. Even though the hard drive was password protected, the data within was not encrypted and it included customers’ names, dates of birth, payments made, and the identity documents provided to support the loan application.  His fine could have been as high as £70,000, but was reduced to £5,000 to reflect the limited financial resources of the company and the fact that the breach was reported voluntarily.

In both cases, the breaches were perpetrated by a malicious third party.  But it was the lack of the businesses’ security and protection of the personal data that was the root cause of the fines. This is why it is so important that companies remain ready for the security issues which will inevitably arise when their service providers switch off support – whether the provider is Microsoft or another.

Data Compliant helps businesses build policies and processes to enable them to become and remain secure and compliant both in terms of systems and governance – if you have any concerns over your data security, don’t hesitate to contact us on 01787 277742 or email tony@datacompliant.co.uk

EU Parliament votes in favour of Data Protection amendments …

EU Parliament DP regs vote

EU Parliament DP regs vote

The European Parliament voted on March 12th to adopt the amendments put forward by the LIBE Committee.  An overwhelming 95% voted in favour (621 for, 10 against and 22 abstained).

What does that mean to UK businesses? 

Essentially the European Parliament has now given its backing both to the structure and fundamental principles of the European Commission’s data protection reform proposals – the General Data Protection Regulation and the Data Protection Directive.

However, to become law the proposed Regulation still has to be adopted by the EU Council of Ministers, who, on March 4th 2014, supported the principle that non-European companies who provide goods and services to European individuals will have to apply the EU data protection law in full.

The next meeting is scheduled for June 2014, and even though this falls after the European elections, yesterday’s vote means that Parliament has now made its decision, and its position will not change regardless of the results of the May elections.

Should these amendments ultimately become law, UK businesses will be affected by a number of issues, many of which have been raised in previous blogs


While there are undoubtedly restrictive disadvantages to businesses, there are also some advantages which will help establish a level playing field as well as saving time, money and legal costs.

A single law throughout Europe – A single law for data protection across Europe will replace the individual countries’ existing laws, making it easier for companies who will no longer have to work within 28 inconsistent and diverse laws.  According to Europa EU, this will benefit business to the tune of 2.3 billion euros per annum.

One-stop-shop – under current legistlation, a business is subject to the national data protection authority in each and every country in which it operates.  The new one-stop-shop rule means that a business will only be subject to the national data protection authority in the country where its Head Office is based.

While this is of significant benefit to businesses, it does make it unwieldy for consumers to keep control of complaints they make against a company whose head office is in a different country.  The one-stop-shop rule means that such consumers will have to complain to their own national data protection authority, who will then pass the complaint to the authority in the relevant country for action under their jurisdiction.  This is quite different from current regulations, where the business is responsible to the data protection authority in the country in which it operates.

Same rules for everyone – Companies based outside Europe will have to apply the same rules as those within.  Currently European businesses work under much stricter rules than their counterparts elsewhere so this will level the playing field.  In addition, there will be an increased level of fines for breaches of the regulations. The ICO can currently levy fines of up to £500,000, but the new legislation proposes fines for businesses who break the data protection rules of up to £85,000,000 or 5% of annual worldwide turnover – whichever is the higher. This should certainly concentrate the minds of some of the data-using giants of industry.


However, there are significant disadvantages to businesses as the EU proposals seek to empower the data subject far more strongly than ever before:

Right to erasure  – originally this was the “right to be forgotten” – and it allows data subjects to demand that their data is erased by businesses. The latest version states that not only must the business erase the data, but must pass that request on to other businesses where the data is replicated. Thjis amendment will cause severe difficulties for businesses such as social networks, cloud providers and search engines.  However, the right to erasure does not apply where there is a legitimate reason to keep data within a database.  And the right to erasure may not encroach on the freedom of expression and information of the media.

Consent – obtaining consent from the data subject will become significantly more difficult for businesses who collect and use personal data.  Currently consent may be “inferred” based both on consumers’ actions and their lack of action. Under the current legislation, if somebody buys a product online, and does not opt out; or if an individual does not “unsubscribe” from communication messages, then – depending on the circumstance – it can be “inferred” that the individual has given their consent to receipt of communications, services or offers.

However, the LIBE amendments require “explicit indication of the individual’s wishes” and “clear affirmative action”.  The implications are significant, as it is unlikely that current opt-out or unsubscribe mechanisms will meet the required level of consent. There will also be increased restrictions over relating the consent to the “Purpose” of collecting the data.  If the original Purpose no longer exists, then the company may not rely on that consent to process the customer’s personal data.

This is likely to have a significant impact businesses – research from fast.map shows that just 30% of consumers today are likely to opt in compared to 51% choosing not to opt out.  Clearly, over time, there will be changes to these statistics – consumers will become more aware as a result of businesses being forced to become more transparent about how they intend to use the personal data provided.  It is also noteworthy that, from the same research, currently 40% of people state they will provide information in return for something they perceive to be of value.  Some creative thinking is required to find real, tangible benefits to consumers in return for them providing their data.

Profiling – the use of profiling is widespread among UK businesses and direct marketers.  The EU regulations state that data subjects are required to be provided with a clear explanation of any profiling.  There is even provision to ban profiling entirely in those circumstances where profiling affects fundamental rights or causes potentially discriminatory results such as race, religion etc).  The impact of this on financial services organisation or those who use credit checking is likely to be inconvenient at best.

Data Protection Officers – The LIBE amendment requires that a data controller or data processor must appoint a Data Protection Officer (DPO) for a minimum of four years when processing personal data in relation to more than 5,000 data subjects within any 12-month period. And even where an organisation processes under 5,000 individual records but those records include sensitive personal information such as children’s personal information, then they too must also appoint a DPO. Having said that, SMEs are exempt as long as data processing is not their core business activity.

Data Subject Compensation policy – Individuals who have suffered damage can claim compensation for breaches of the Regulation. This would mean that an individual woken up by an unsolicited telemarketing call could claim damages for being disturbed.

There is still a long way to go before the EU legislation is finalised, and in the meantime discussions will continue.  Many countries are clear that getting the legislation right is more important than hitting an arbitrary deadline so both the content and the timetable are subject to change.

Nonetheless it is well worth UK businesses preparing for changes to the data protection landscape.  Although the new legislation is not expected to be in place before 2016, and it may possibly lapse to early 2017, changes are definitely going to happen, and planning for compliance will need to begin now.

If you have any concerns over how the new EU legislation may affect your business, or would like advice on becoming and remaining compliant, please contact us on 01787 277742.

NHS … patient data … what’s next?

According to the ICO, there were 388 data breaches relating to health data in the first nine months of 2013.  That is 34% of all the data breaches in the UK during the same period, and the proportion has increased from 27% at the end of March to 38% by the end of September 2013.  The chart below compares the number data breach levels by industry sector over the same period.  Given the sensitivity of the health data held by medical organisations in this country, those are shocking statistics.Data breaches by sector to Sept 30 2013

Centralised medical records database

Despite this poor track record, very soon the NHS is going to combine all our medical records into one massive database. Every GP practice in the UK will shortly begin to disclose their patients’ personal and sensitive data to care.data at the Health and Social Care information Centre (HSCIC).  The process is monthly, automatic, and assumes patient consent unless patients actively opt out – which is not necessarily a simple process.

nhs databaseSo what does this mean to patients?  Essentially, personal confidential data (PCD) such as family history, vaccinations, diagnoses, referrals, blood pressure, BMI, cholesterol and NHS prescriptions and more will be extracted from GP systems and shared with care.data.

In order to match data from the GP surgeries with data acquired by the HSCIC from other sources (such as hospitals) identifying data such as data of birth, postcode, NHS number and gender will be included within the data extracts.  Once matched across all the data sources, the data is pseudonymised (ie identifying characteristics are removed).

Once an individual is flagged as “deceased” no further data will be collected – though the data already provided will continue to be processed by the HSCIC.

medical data chartsWhat are the benefits?

If it were possible to trust the security and intentions of those collecting the data, there are some fantastic potential benefits, for example improved patient care; the effective prevention, treatment and management of illness; hospital performance, management of NHS resources; or the analysis and understanding of specific treatment benefits; even planning new health services.

What are the risks?

The poor track record of the NHS in terms of protecting our medical data is alarming and raises concerns over confidentiality of our medical records.  In addition, there are increasing numbers of private companies who provide services to the NHS, from physiotherapists to care homes; from private hospitals to insurance companies.  Members of the public are likely to be uneasy about private companies benefiting from their health data, and equally concerned that their GP will no longer be the “gatekeeper” of their confidential medical data.

Furthermore, although the data will be pseudonymised, single-minded analysts may undoubtedly try and will probably succeed to some degree in finding a way of matching the data against other commercial data sets to “re-identify” the individuals.

Who can use the data?

The data can be released for five listed reasons:  health intelligence, health improvement, audit, health service research and service planning. That’s a pretty broad spectrum, and it is evident that the number and range of potential customers for this centralised database of our medical records is enormous.

For example, how long it will be before insurers persuade the HSCIC that it is to the benefit of the health and social care system that they should model and predict medical claims rates based on the UK’s centralised medical database, and use the findings to price their medical insurance policies accordingly.

Can GP practices opt out?

Doctor Data ControllerThe Health and Social Care Act 2012 creates a statutory obligation for GP practices to disclose the information as directed.  GPs are unable to refuse to do so as such refusal would put them in breach of the statutory requirement.

But because the GP practice is actually the “data controller” of their patients’ confidential medical records, GP practices are also responsible for ensuring that their patients’ personal and sensitive data is handled fairly (as defined under the Data Protection Act 1998).

So it is up to GPs to ensure that patients are aware that their data will be shared with the HSCIC, that the HSCIC has powers to extract personal confidential data, and, arguably, what the HSCIC intends to do with the data.

And if a patient claims they were unaware that their data was to be shared, it would be the GP practice who would be investigated by the ICO.

The GP practices remain data controllers of the data they hold within the practice, but are no longer responsible for the data once it has been disclosed to the HSCIC.  Instead the HSCIC and NHS England become joint data controllers who are obliged to comply with the Data Protection Act.  NHS England will determine the “Purpose” for the data collection, while the HSCIC will determine the manner of processing.

How do patients opt out?

Normally one would expect the sharing of data of this sensitivity and confidentiality to be subject to patient opt-in, rather than the NHS assuming consent.  However, the Health and Social Care Act 2012 empowers the HSCIC to require providers (eg your GP practice) to send it personal confidential data when directed to do so.  And the Act overrides the requirement to seek patient consent.

A patient can inform their GP of their wish to opt out, and no reason is required.  It is worth noting that the right to opt out has been implemented as a constitutional rather than a legal right.  Having opted out, it is up to the GP practice to ensure that the right code is appended to the legal record.

However, the patient has no right to prevent his or her medical data leaving the GP practice if such data carries no identifiable information as this is anonymous data rather than personal data.  The question, really, is what is “identifiable information”?  It is DOB? Arguably in some circumstances, it may be.  And surely an NHS number is identifiable information.

The Secretary of State for Health has given a commitment that individuals’ objections to disclosure ot the HSCIC will be respected in “all but exceptional circumstance” (for example, a civil emergency).

Is the process compliant?

You could argue that this data sharing activity defies the second principle of the Data Protection Act:  “Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with the purpose or those purposes”.  In my view, you don’t talk to your doctor about a medical condition for any purpose other than to have him solve – or try to solve the problem for you.  And while that may include prescriptions, or visits to consultants, hospitals and clinics, making our medical records data available to commercial organisations cannot possibly be considered the “Purpose”.