The ICO dropped the ball spectacularly on care.data, anxious to enable what they must have thought was an important undertaking by a valued stakeholder. — Tim Turner
If you’re an American who thinks HIPAA is too permissive on data sharing without consent, you should learn more about what’s going on in the U.K.
Tim Turner writes:
The people who run NHS England and the Health and Social Care Information Centre never wanted to give the public a choice about whether their data would be mined and sold for research purposes (and the clumsy, ill-infomed opt-out that was dragged out of them isn’t a proper choice anyway). It should therefore come as no surprise – as the front page of today’s Telegraph makes clear – that the opt-outs have not been processed. Despite this, it’s full steam ahead: “the NHS has insisted that it will continue to sell medical data to insurers and other third parties“.
As Tim explains, NHS England did not need to obtain consent, as the authority was written into the Health and Social Care Act 2012. The moment they responded to public uproar by offering a compromise after the law was passed, they created an expectation:
Ironically, it is the fact that NHS England bowed to the predictable but apparently unexpected backlash and offered their weedy compromise, achieved in part by that mealy-mouthed leaflet hidden among the pizza menus, that puts them in a pickle. All personal data must be processed fairly, and by telling all citizens that they had a right to opt-out of the sharing of their health data, NHS England created a set of clear expectations. They didn’t have to, but they did. So by not properly resourcing the opt-out process, NHS England and the Health and Social Care Information Centre have breached the first principle.
Lack of funding isn’t an excuse or a mitigating factor. The fact that they could have gone ahead and done all of this without the opt-out isn’t relevant either. Because the opt-out was offered, it is now part of the fairness package, and not to deliver on it is a breach.
Read more on 2040 Information Law Blog.