I had to visit the hospital the other day. I’m not going to say why, because that’s private, personal and confidential. Suffice it to say that the condition isn’t one that I wouldn’t tell my mother; but it is one that I’d prefer potential employers and insurers know nothing about unless I tell them (it’s probably nothing anyway). I would most certainly not want the pharmaceutical industry to know — the drugs they offer make the (possible) condition much worse, and introduce new ones.
But I don’t need to worry, do I? At the bottom of the hospital appointment letter, in bold type, is the statement:
All personal information about you is kept confidential at all times and is only shared when necessary to support your care and treatment. If we want to use your information for any other purpose, with the exception of when the law requires us to do so, we will talk with you and obtain your consent. If you have any concerns regarding this, please talk to the person providing your care and treatment.
(see grammatical note at the end of this post)
But that’s a lie. While the government wants to start centralizing our GP records in the autumn, it is already doing so with HES (Hospital Episode Statistics). These are already held by the Health and Social Care Information Centre (HSCIC) which is where all of the records will eventually be held. According to the HSCIC website,
HES is a data warehouse containing details of all admissions, outpatient appointments and A&E attendances at NHS hospitals in England.
This data is collected during a patient’s time at hospital and is submitted to allow hospitals to be paid for the care they deliver. HES data is designed to enable secondary use, that is use for non-clinical purposes, of this administrative data.
It is a records-based system that covers all NHS trusts in England, including acute hospitals, primary care trusts and mental health trusts. HES information is stored as a large collection of separate records – one for each period of care – in a secure data warehouse.
We apply a strict statistical disclosure control in accordance with the HES protocol, to all published HES data. This suppresses small numbers to stop people identifying themselves and others, to ensure that patient confidentiality is maintained.
Compare the two statements. It is perfectly clear that the hospital is lying. But the reality is, so is HSCIC.
Back in 2012, the marketing firm PA Consulting bought a copy of the HES data.
So we bought the data and installed it (with certain security restrictions) on our own hardware… [But querying the data took too long.] The alternative was to upload it to the cloud using tools such as Google Storage and use BigQuery to extract data from it… Within two weeks of starting to use the Google tools we were able to produce interactive maps directly from HES queries in seconds.
(That document seems to have been removed from the PA site, or hidden away. Anyway, I can no longer find it, and have to rely on the copy I have. It seems to have been replaced by a press statement from PA here and another from HSCIC here in a coordinated release. Neither of these should satisfy any patient.)
The HES data sold by the government is pseudonymised — but still includes postcode and age (PA denies that it received DOB or address, but doesn’t specify whether that included ‘age’ and ‘postcode’). In other words, standard HES data specifies very clearly exactly who 98% of the patients actually are and where they live.
And then there’s Beacon Dodsworth, a firm that “provides geographical information system (GIS) mapping software and marketing technology to clients in a wide range of industries” including Estee Lauder, Trinity Mirror Group and Boots. It says
Hospital Episode Statistics (HES) have now been integrated with our P2 People & Places people classification thanks to some hard work from our clever developers.
This means you can now better understand the health needs of local communities and populations and identify trends and patterns in order to target health improvement more effectively.
So we seem to have a system that quite readily sells our hospital records to any marketing company that will pay for them, and then allows those marketing firms to advertise the ability to target us on the basis of our health. And at the same time, the NHS itself tells us something completely different: that the data is only seen by those involved in our treatment.
Now Ross Anderson, chair at the Foundation for Information Policy Research; Phil Booth, coordinator at medConfidential; and Nick Pickles, director at Big Brother Watch, have all filed a complaint with the ICO requesting that the issue be examined in relation to the Data Protection Act.
It will be interesting to see how the ICO can reconcile what to everyone else is a clear but hidden breach of confidential patient data — and the Data Protection Act — with this government’s desire to sell and share everything about us to anyone willing to pay for it, irrespective of our own wishes. Because the one thing we can be very sure about in all of this is that the ICO will do all he can to avoid doing anything at all.
The first sentence is a complete statement. The second sentence is also a complete sentence. There is nothing in the second sentence to indicate that it qualifies the first sentence. There is nothing in these two sentences from which a reasonable patient could infer that it really means, “We will not share your personal data with anyone other than the centralised government database operated by HSCIC, with whom we will always provide all of your details all of the time, and over which we have not the slightest control nor responsibility for your personal data.
The United States would be well advised not to dismiss European anger over the NSA — but so far the US doesn’t seem to be taking the EU’s concerns seriously. Consider the safe harbour agreement, and the growing movement to suspend it.
Safe harbour is an official arrangement that allows American companies to circumvent the European data protection laws. These laws prohibit the export of personal European data to any country that does not have comparable data protection laws. The United States does not. On the face of it, then, this would stop companies like Google and Yahoo and Facebook operating in Europe since they ‘export’ their users’ data to servers in the US.
To avoid this, the EU and US developed the Safe Harbour. Provided individual companies are certified to provide a comparable level of data protection to that required in the EU, safe harbour allows US companies to store EU data in the US. That certification can be provided by a qualified third-party, or it can be self-certification. One of the conditions included is that personal EU data will not be passed on to third parties.
But this requirement is clearly being breached by the NSA’s Prism programme. It doesn’t matter whether US cloud companies are giving EU data to the NSA willingly or even knowingly — that it happens is in contravention to safe harbour. So the mood in Europe is simple: if safe harbour isn’t being honoured, it would be better to suspend it. If this were to happen as things stand, companies like Google and Facebook would no longer be able to operate in Europe.
Why I don’t think America is taking this threat seriously
In December 2013, a US think tank called Future of Privacy Forum (FPF) published a report concluding, “It would be unwise at this stage of the Safe Harbor to pull back on this effective program.” It claims that safe harbour is working — when Prism shows it is not.
FPF’s first argument is that “eliminating the Safe Harbor will not prevent the NSA from accessing EU citizens’ data.” Seriously? Is FPF really suggesting that since the NSA will disregard the law, we shouldn’t bother having any laws?
Its second argument is that even US companies that allow their safe harbour certifications to lapse are “still subject to FTC Section 5 enforcement for any substantive violations of
the Safe Harbor principles committed while it claims to be a member.” Luckily, we can test that assertion because the FTC has just made enforcement on 12 US companies for that very infringement.
Following complaints, the FTC took action against the companies which resulted in settlements. The settlement agreements now prohibit the companies from falsely stating to be Safe Harbour certified.
FTC takes safe harbor enforcement action against 12 US corporations
So, the punishment for ignoring safe harbour rules is to agree to stop ignoring safe harbour rules; which can be done via self certification.
This is not the behaviour of a country that is taking Europe seriously.
Is it even possible for Europe to suspend safe harbour?
This is the crux of the problem. America clearly believes that it would be impossible: Google, Facebook, Microsoft, Yahoo etc, etc are so deeply woven into the social and economic fabric of Europe that it would not dare, in the final analysis, to pull the plug. That, I fear, would be a catastrophic underestimate of European determination.
Consider some of Europe’s recent announcements. It is preparing itself for a life without US tech giants, and even a life without the UK. (Incidentally, David Cameron will rapidly discover how insignificant the UK will be considered by the US if it can no longer influence the EU in favour of the US; and GCHQ, like the NSA, can no longer spy on Europe.)
Firstly, the EU has declared it wishes to be an honest broker between US and UN ownership of internet governance. In other words, the European bloc is no longer in blind support of the US position — it is preparing for, and in doing so it is making inevitable, a time when US control is removed.
Secondly, Angela Merkel has indicated a Franco-German intent to build a European internet outside of the NSA’s reach. US companies will either have to agree to play by European rules, or be excluded from Europe. (That, of course, applies equally to the UK and GCHQ. Nigel Farage of UKIP wants the UK to leave the EU; Cameron, who doesn’t, is close to getting the UK excluded by default.)
Faced with such a decision, the US companies will take a commercial position and play by the rules of what will effectively be a heavily policed virtual internet within and for Europe. Microsoft has already broken ranks and said it will ensure European data remains in servers within Europe. The problem for Microsoft will come when it receives a FISC order demanding EU data from those European servers. The danger for the United States is that under such circumstances, some of those companies will emigrate from America in order to maintain their European presence.
So, as I said at the beginning, the US would be well-advised to take Europe seriously. Europe is older and more patient than America. It can and will take the long view over this issue.
I got this Skype message this morning from a much-loved and well-respected colleague:
Well it was news to me; so I asked what made him think that. He sent me a link; and that link led me to this:
And so it continues – I am mentioned 28 times on this page.
I quickly checked my emails to see if some rich aunt had passed over and left me a new website in her will; but all I could find were a few other opportunities:
…my name is Michael Smith and I want you to assist me received huge sum of (Ten Million Five Hundred Thousand United States Dollars) for Investment purpose in your country and am willing to offer you 40% of the total sum for your great support. You might also wonder how i got your contact, I got it through the internet when i was looking for a trust worthy person i can trust to handle this project.
(yes, there was my rich aunt in all her glory still very much alive), and this
…a woman with the name (Ms. Gail Jackson) Came to Our Office with an Application Stating That she is your sister and You Gave Her the Power Of Attorney to Be the Beneficiary of Your Outstanding Contract Award Funds. She Made Us To Believe That You Are Dead And That She Is Your Next Of Kin…
That last one was worth $5.6 million; but sadly it was mistaken identity – I’ve never had a sister.
The reality is probably less interesting. It’s probably a new site under development. The developer is using a privacy statement template, and where it says ‘enter your name’, he entered mine. Or maybe all of the variables are in a separate file and are merged automatically; but in this instance they’ve got out of sync.
Sadly, I do not have a new gig with wossname; and I have no idea how my name became so elevated. But it is gratifying, nevertheless…
The brilliant Hawktalk blog has demonstrated how the UK government has airbrushed the Data Protection Act out of ‘national security’ issues. This leaves GCHQ free to conduct mass surveillance of British citizens (and who cares about foreigners anyway?) without any effective legal oversight — merely a nod and a wink from the government of the day.
The conclusion comes from an analysis of a data protection exemption certificate obtained under freedom of information laws and dating back to 2005 — now probably out of date but equally probably indicative of what is happening today (born out by similarities between an old TfL exemption certificate and a recent one issued by Theresa May).
There are eight data protection principles underpinning the Data Protection Act. Summarized by the Information Commissioners Office (the UK’s data protection regulator), these are that personal data should be:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Not transferred to other countries without adequate protection
In the certificate analysed by Hawktalk, principles 1, 2, and 8 are exempted. Furthermore, principles 3 and 5 are effectively nullified by the exemption to principle 8 — the data can simply be transferred to NSA databases outside of the ICO’s jurisdiction.
Hawktalk’s argument is that these principles are automatically suspended for any statutory body pursuing its statutory purposes. The implication of a certificate specifically issued to completely exempt that body (GCHQ) from any of the principles is that it (GCHQ) wishes to pursue the processing of personal data beyond its (GCHQ’s) statutory purpose — it simply does not need an additional exemption if it sticks to what it was designed to do (ie, national security). In other words, GCHQ wishes to collect and process personal data to an extent that is both beyond its legal remit and the strictures of national law.
GCHQ has become, quite literally, a law unto itself.
The home page for Google France from a few days ago. It’s been removed now; but just in case anyone missed it…
On The Day We Fight Back Against Mass Surveillance (sign here if you haven’t already done so) I took a moment to glance through the draft report prepared by the European Parliament’s civil liberties, justice and home affairs committee (LIBE) on mass surveillance. It will be voted on tomorrow (Wednesday 12 February). It shows that some of our politicians (you can bet that there are few British politicians included) actually do care about our privacy and civil liberties.
After many legalistic pages of having regard to this and whereas that, it gets to the meat. Here’s an example from among many similar paragraphs:
Condemns in the strongest possible terms the vast, systemic, blanket collection of the personal data of innocent people, often comprising intimate personal information; emphasises that the systems of mass, indiscriminate surveillance by intelligence services constitute a serious interference with the fundamental rights of citizens; stresses that privacy is not a luxury right, but that it is the foundation stone of a free and democratic society; points out, furthermore, that mass surveillance has potentially severe effects on the freedom of the press, thought and speech, as well as a significant potential for abuse of the information gathered against political adversaries; emphasises that these mass surveillance activities appear also to entail illegal actions by intelligence services and raise questions regarding the extra-territoriality of national laws;…
That’s paragraph 9, and the rest are in similar vein. Paragraph 14 says:
Strongly rejects the notion that these issues are purely a matter of national security and therefore the sole competence of Member States; recalls a recent ruling of the Court of Justice according to which ‘although it is for Member States to take the appropriate measures to ensure their internal and external security, the mere fact that a decision concerns State security cannot result in European Union law being inapplicable’; recalls further that the protection of the privacy of all EU citizens is at stake, as are the security and reliability of all EU communication networks; believes therefore that discussion and action at EU level is not only legitimate, but also a matter of EU autonomy and sovereignty;…
Then follows 98 paragraphs of recommendations on what to do about it. Basically, it is ‘stop it’, ‘don’t do it again’, and ‘introduce these measures to prevent it’. Lest our American friends – and the American people are our friends – think this is just US-bashing, I should point out that certain EU member states are also criticised. Obviously this is primarily the UK and GCHQ; but the intelligence services of Sweden, Germany and France are also included.
Finally, the report
Instructs its President to forward this resolution to the European Council, the Council, the Commission, the parliaments and governments of the Member States, national data protection authorities, the EDPS, eu-LISA, ENISA, the Fundamental Rights Agency, the Article 29 Working Party, the Council of Europe, the Congress of the United States of America, the US Administration, the President, the Government and the Parliament of the Federative Republic of Brazil, and the United Nations Secretary-General.
It won’t happen of course. And even if it does, it will get no further. It will very rapidly get buried in European bureaucracy, largely at the instigation of the UK and the other major European players who have more to lose than gain in allowing their own citizens the rights they were born with.
But I am greatly fortified by the fact that this report shows some European politicians really do care about privacy and liberty.