We need to talk about Sensyne…

If your child is being treated by Great Ormond Street, you’d be forgiven for having missed the announcement by press release a couple of weeks ago that GOSH has just signed a deal with an AI (‘Artificial Intelligence’) company called Sensyne Health.

You likely won’t have heard of Sensyne, run by former Minister of State for Science and Innovation and Labour peer, Lord Drayson. And on first appearances, more research into childhood diseases is a good thing – who would argue with that?

Look a bit closer, though, and many questions are left unanswered – not least who stands to profit most from this and other deals: Sensyne, its founder, its commercial partners and its majority shareholders, the NHS or patients?

Sensyne loves to boast about its ‘unique selling point’, which is that it “gives something back” to the NHS; a minor shareholding (typically £2.5m-worth of shares) and maybe a few hundred thousand pounds a year that each NHS Trust can apply for.

In return, Sensyne gets LOTS of data – NHS patients’ data – which it claims is “anonymised”, but which turns out not to be anonymous at all.

Doctors asking about existing contracts just before the pandemic were given a list of the items (“fields”) of data about each patient that NHS Trusts are required to provide to Sensyne under the terms of the deal:

This list clearly includes what is known as a ‘pseudonym’ – a unique ID for each patient – which allows Sensyne to link together every episode, every diagnosis and visit to hospital for each individual.

That is not anonymous data!

In fact, the law is quite clear; data linked with pseudonyms like this, which is often referred to as ‘pseudonymised data’, is deemed to be identifiable data and thus personal data under UK law. And you have rights regarding your personal data – especially your health data, around which there are additional ‘special category’ protections.

The second and third questions (after who profits?) must therefore be, were you even notified that this was happening? And was your permission sought?

Every use of personal data must be lawful, fair and transparent – the very opposite of a company trying to hide its business behind self-serving, legally incorrect mis-definitions of anonymous data, not telling you what it is doing with your or your children’s most sensitive data, and not giving you a choice!

Other questions which need answering include:

Exactly what data is being passed to Sensyne Health plc?

  • Is it everything in your child’s Electronic Health Record (EHR)?
  • What level of detail is being taken, e.g. heart rate every 30 seconds? 
  • Will it include treatments, and doctors’ notes?

How much and whose data is being passed to Sensyne?

  • The press release says “320,000” Great Ormond Street patients’ data. Is that the upper limit, or will that number grow over time?
  • [N.B. Sensyne states its ambition is to have “c.12.5m [NHS patient] records by the end of December 2022”.]

For what purposes will children’s data be used?

  • Is this to allow children to be tested alongside adults in developing and validating new algorithms, etc? 
  • [N.B. This is not necessarily a bad thing, but who will know what data trials they are in?]
  • Who determines what Sensyne’s commercial partners get to do? Are patients told? Do they have a choice?

What about notification, what if people have questions – and what about consent?

  • Why haven’t parents and children been told, much less consulted? When will their permission be asked?
  • Who wrote the contract? Are NHS Trusts simply signing whatever Sensyne’s lawyers tell them is fine?
  • Who decided the data was sufficiently “anonymous” to set aside patients’ legal rights?

Plus who knew what, and when?

  • Did Great Ormond Street’s Caldicott Guardian know about this deal with Sensyne health plc, and did they sign it off?
  • And how many other commercial data deals has GOSH made?

Not every data or AI contract that hospital Trusts sign will go as badly as Google DeepMind’s with the Royal Free, of course. But should NHS hospitals really be negotiating to hand their patients’ data (not to mention a reputational boost) to profit-seeking commercial interests, even for a notional stake? And should a world-leading specialist children’s hospital be doing anything – anything at all – that could compromise trust?

David Cameron (remember him?) may have said a few years back that every NHS patient should be a “research patient”, with their medical details “opened up” to private healthcare firms. 

As this summer has shown for people’s GP data, not everyone necessarily agrees.

If, like me, you have a child being treated by Great Ormond Street Hospital – and if, like me, you want answers, please do get in touch.

Posted in choice and consent, medical confidentiality, medical records, transparency | Tagged , , | Leave a comment

‘Vaccination Passports’: State of Play

Having shared some thoughts in private discussion, it was suggested that posting a summary might be useful. So here it is (lightly edited):

[…reflecting on the discussion thus far] it seems we agree that ‘vaccination passports’ are unwarranted, in practice near-pointless clinically, and potentially risky in a number of ways.

It is (also) the case that:

  1. It is entirely possible to create a vaccination certificate or (more or less verified or verifiable) credential, and that:
    1. The data required for this credential is created at a ‘vaccination event’ or events;
    2. Some of that data is currently (sometimes) provided to the individual by being handwritten on a piece of card;
    3. Wherever else it may be held, the data about those vaccination events is ultimately recorded and retained in people’s GP records – as is some other ‘COVID status’ data. (Noting that, at this point, having recovered from a bad bout of COVID would appear to be roughly equivalent to having received your first jab of some of the vaccines…)
    4. The GP record is therefore a prime target for expanded ‘data-sharing’ and/or copying, which by itself engages medConfidential’s core concerns.
  1. Such credentials can be linked to a person by various means, i.e. ID verification of some form (e.g. facial biometric, existing number/ID or document, ‘VeinID’!, etc.), thus becoming a vaccination/’immunity’/COVID test result passport:
    1. It is the linkage of the credential to the means of identification/verification that is most problematic, especially when this is done on/via a smartphone or chip (as in a bank card or biometric passport) that will inevitably encourage ‘secondary uses’ / feature creep;
    2. Pieces of paper, like the Yellow Card or current NHS ‘appointment reminder’ cards, offer far fewer risks; [Frankly, while I’d still take issue with, e.g. discrimination around COVID status generally, a sensibly-designed paper ‘tech’ would likely fall below my threshold of concern re. privacy / DP]
    3. There is a vocal lobby from political actors such as (the) Tony Blair (Institute), and the biometric and digital ID industries, etc. who have been proponents of ID for years. COVID-19 is just another excuse…
    4. ‘Centralised vs decentralised’ ID arguments are basically irrelevant – as is ‘privacy-preserving’ PR, given it’s a GDPR requirement (which many now seem to appreciate) – when, in use, vaccine passports will boil down to a person having to show another person a thing in order to be allowed to do something. Anyone proposing a giant centralised database, or anything equivalent, should simply be shot down in flames. And anyone (as many are) focusing purely on the credential or the tech is missing the point.
  1. It will be possible, and is indeed likely, that in some situations people are going to be (i) asked to present a credential, and (ii) required to present a credential – almost certainly for international travel, possibly for some domestic activities, e.g. going to work, attending social venues like cinemas and pubs, so:
    1. What would the legal basis for both of these be, both during and after the pandemic? (And won’t Governments declare the pandemic over once ‘everyone’ has been vaccinated?);
    2. The UK Government has funded and otherwise supported the development of multiple commercial COVID passport initiatives – see, e.g. my Twitter thread (above) for an ever-expanding list – and at some point is going to have to at least give the official ‘nod’ to some of them, if not actually provide them with a legal basis (or indemnity) under the Coronavirus legislation, or other legislation or regulations;
    3. The most obvious place to deal with non-sanctioned use is via legal challenge (tedious, but do-able), and this will likely involve some media work too;
    4. If the Government does decide to legislate or regulate, it has an 80 seat majority and (in Parliamentary terms) HM Opposition is currently about as useful as a chocolate teapot.

What seems most likely is that the UK will join one of the international travel schemes, likely one or both of the WHO’sSmart Vaccination Certificate” and the IATA’sTravel Pass” in which, unsurprisingly, the ICAO is involved. It may or may not cut individual country deals, like the recent Israel-Greece or Israel-Cyprus ones. [See also our supplementary response to Ada Lovelace Institute’s review:]

It seems unlikely that the current round of domestic ‘pilots’ in various geographical areas and sectors will not be expanded at some point, and – especially if the Government isn’t forced to legislate – these would represent a pretty messy, widely distributed target for a bunch of legal actions once they went ‘live’. Maybe it would be worth preparing and circulating some sort of ‘expert briefing’ for, e.g. human rights and employment law firms, chambers and unions, so they are at least forewarned and know who’d be worth talking to if/when this all kicks off?

In terms of timing, it would be politically unwise to announce or officially approve the use of vaccine passports until after everyone has at least been “offered” a vaccine. There are already ‘disincentives’ (real or otherwise) for some to get vaccinated, and it would be fantastically dangerous – as well as immoral, and highly challengeable – to play into those at this point. As bad as some are, not all Ministers are stupid, and most do have some sense of self-preservation – although that’s not to say Boris won’t do it, of course!

In terms of other practical steps – noting Ada Lovelace Institute’s current review, chaired by Jonathan Montgomery – and along with creating an expert briefing for lawyers and unions, it’s clearly worth some coordination across/within civil society. I’ve already seen various petitions (I believe this is the latest petition on this topic to hit the threshold for debate) and I’m sure there’ll be calls for consumer boycotts, etc. as well as other randomness on social media and elsewhere. It is unclear to me how such activity will have any meaningful effect.

Whether this does need more of a response than is going on at present, I don’t know. I assume folks are all talking to bunches of other people and between organisations, and I equally appreciate how busy we all are. But if this issue does blow up, it strikes me as being the sort of threat for which we’ve previously mounted a ‘Scrambling for Safety’ event which – even convened on Zoom – would take a bit of organising. (These issues are international, so we should bear that in mind too.)

If there is any interest in / appetite for any of these practical steps – e.g. an expert briefing, (pre)legal action, media work, a Scrambling for Safety – then I’d be happy to lend a hand as I can. We shall of course continue to develop and put forward arguments in public as we have throughout the course of the pandemic on medConfidential’s website, my personal blog, through official channels (Westminster, Whitehall & NHS), and in the media.

Posted in COVID19, database state, discrimination, Human Rights, identity, medical confidentiality, medical records, privacy | 1 Comment

Identity and Immunity

Technology can be better than the failing app solutionism; the question is whether we will be, or whether following the worst of the tech world will leave us in the database state.

Larry Brilliant is the American epidemiologist who, working for the World Health Organization, helped to successfully eradicate smallpox. He knows what he’s talking about.

Some governments – including our own – are suggesting the detection of antibodies to SARS-CoV-2, the virus that causes COVID-19, could provide the basis for an “immunity passport” or “immunity certificate” to allow individuals to travel, or return to work, on the assumption that they are protected against re-infection. But, as the WHO says:

There is currently no evidence that people who have recovered from COVID-19 and have antibodies are protected from a second infection.

This is not a blog post about “following the science”; it’s pretty clear by now who is to be trusted on that, and who isn’t. This is a post about identity systems, and how – even once we understand COVID-19 immunity, and can reliably test for it – they will interact with any “immunity passport” proposal.

In general, all that ‘identity solutions’ really do is to confirm a small number of attributes for a real human being. So it’s not surprising that, right now, anyone with anything that they think is an identity product is sticking a “COVID-immune” item or feature into it, and offering it to anyone who might listen.

Tech vendors gotta sell tech, of course – but, despite the kernel of plausible utility, there are more fundamental considerations which undermine the entire approach. Not least that we’ve never had to ask routinely, “Have you had your flu vaccination?” or “Are you on PrEP?”

And, given past experience (e.g. HIV/AIDS), do we really want to start?

In practice, from an engineering perspective, one can either start with ID and then add immunity, or start with the immunity process (which for COVID does not currently exist) and add something to facilitate attribute exchange. And it must be very clear that what happens in close proximity should always be an exchange – unless one of the entities involved is wearing full face-protecting PPE (i.e. a mask and visor, or full head-covering helmet), etc.

So, presuming they can be built (which no-one’s disputing on a technical level), for whom are immunity solutions actually useful? There is one obvious sector, and another very obvious risk…

Health and Care

Clearly an indicator of immunity would be most useful for NHS staff and other care providers. Given the choice, most people would likely prefer to be treated by someone who has recovered from COVID than someone who hasn’t, for anything that involves even the slightest risk of infection – for exactly the same reasons we don’t put immunocompromised staff on to the measles ward.

And indeed, NHS staff already have a strong identity solution – the “NHS Staff Identity” credential; the evolving NHS smartcard that already carries lots of attributes, to which the NHS employers could add the verified results of antibody testing, when such a thing exists.

Staff in social care are less strongly identified, but they are already known to their employers and by the people for whom they provide care. (Similar may be true for NHS-owned parts of the NHS supply chain.)

Knowing the COVID-19 status of a patient is critical, which is why that flag was already added to health records on the NHS Spine back in March; and patients are already strongly identified to their health records, for obvious reasons.

Outside Health and Care

For anyone and everyone else, we must ask: who are they, and what do they need it for? (Boris and others in Number 10 and its vicinity might want a reason to evade the lockdown rules, but it’s not like he followed them anyway…)

Much as “immunity passports” will no doubt be presented in the most positive, glowing terms – the way out of lockdown, the way back to work, your patriotic ‘duty’ to save the economy – the bottom line remains: the only real reason to know immunity is to discriminate against those who don’t have it.

“Immunity passports” won’t help with prejudice against those who do have immunity but ‘look foreign’, and so are asked for ID again, and again, and again. (This is, of course, the long-term preference of the unreformed and ‘institutionally ignorant’ Home Office.)

Beyond who gets an ‘immunity get-out-of-jail-free card’, and for what purpose(s), must come the question: how long does it last? Solutions in a pandemic are one thing; solutions for an endemic ‘Fifth Flu’ will have wider consequences, and may facilitate all sorts of abuse.

Reality bites

As our experience of COVID apps thus far has shown, the digital fraction is embedded in a very real physical context with very real rules and, by and large, it is these which determine body count – not how ‘smart’ or centralised, ‘truthful’ or trustworthy your code is.

The. Virus. Doesn’t. Care.

So while TechBros™ issue draft ‘codes of practice’ according to which (surprise, surprise!) their own products come out on top, fundamental epidemiological, virological and public health principles – such as the requirement that anyone who “asks” for a show of immunity must first show their own state – risk being lost. Unfortunately, it has been true for quite some time now that Silicon Valley and the stubborn parts of Government take a rather self-interested view of user needs*

Here’s a practical suggestion: those performing authoritative tests could hand successful testees a single sheet of ‘cheapID’-style credentials that could be offered to someone when there is a clear and legitimate need, with the norm being that it is always an exchange of individuals making a free choice – much like hookups in a gay club. Anyone offering a solution then has to explain why their thing is better, and why it’s needed anyway beyond “It’s an app” (or, God forbid, a blockchain).

A ‘strong identity’ solution requires strong identity at every step of every use; so is this really the sort of world we want when we come out of this? (Given there are other options.)

Immunity passports won’t stop the racists being racist, nor the jumped-up little Hitlers and jobsworths from doing their thing. But neither would it institutionalise discrimination, nor would it hand yet more tools of totalitarianism to either Big Tech or the Database State.

When Heathrow finally reopens for business, do we want to be Great Britain again? Or China?

In the new-normal will we decide once more to be a beacon of liberal democracy; cooperating and contributing on the global stage, with a renewed and revived sovereign (mother-of-all) Parliaments under rule of law; championing the commonwealth, the commonhealth and human rights for all – or will we go down in the flames of ‘data firesales’, techsolutionism and secret trade deals, badged with a ‘biomedical expertise’ that’s leaching credibility with every new mortality statistic and resignation?

Tech can be better than this; and we must be.

So let’s listen to the epidemiologists, and engineer the right solutions – apps for the next pandemic, maybe? And for now, let’s keep demanding and following the evidence, and keep asking the questions – to which you are more than welcome to add.

Posted in database state, identity, medical records, transparency, uncategorized | Tagged , , , , , , | 1 Comment

Settled Status

This analysis of the Home Office Settled Status programme – based on published materials, official statements, and conversations with those assisting or affected by the scheme – suggests many significant questions remain to be answered if the scheme is to be fair, impartial and supportive of vulnerable people.

Author’s postscript

The Withdrawal Agreement for Brexit requires most EU citizens resident in the UK to register with the Home Office. They will then be required to show proof of such registration on request, and British citizens can be fined or jailed should they not check such proof at certain times.

It was possible to have designed a Settled Status programme that does not have the flaws we highlight. The Home Office has not designed such a programme. In practice, the mass registration of over 3 million EU citizens is unlikely to go well, and our report highlights a significant number of outstanding questions.

To take just one group as an example: EU citizens who have previously been granted Permanent Residence may quite reasonably assume they have no need to register. They could be forgiven for thinking that the word “permanent” in their immigration status meant that their status was “permanent”. The Home Office, however, will not forgive anyone for thinking that.

Citizens of the British Isles

Given statements from the EU about reciprocity, British citizens living in EU countries may have to follow a process similar to Settled Status in the UK. Has the Government made any contingency plans for meeting its obligations in that case?

Will the Home Office and the Foreign Office have the ability to meet the requirements for UK citizens living in the EU that are reciprocal to those we are demanding from EU citizens living here? Will elderly Britons living abroad be required to satisfy the obligations of the Home Office’s hostile environment in order to receive current papers? What about those for whom their age or mental state prevents them from doing so?

The Settled Status process requires that citizens of other countries must have a current passport or equivalent, even where age prevents them from any form of travel. While such questions were out of scope for the report, they will directly affect every British citizen living elsewhere in Europe, and have barely been considered.

And it doesn’t end there. Every Irish citizen’s passport has “European Union” stamped on the cover. Given current Home Office and public debate around the Settled Status programme, any non-Irish person seeing such a passport might assume its holder was required to obtain Settled Status – an assumption that, while quite reasonable, is entirely wrong. Even were the Home Office to be entirely clear on the rights of residents (arguably an unprecedented step), will every landlord understand or make those distinctions, especially given the harsh penalties imposed if they get it wrong?

Will these issues be made clear in all Home Office messaging? How many similar issues will there be that are not yet on the political radar?

Technology is a hostile environment

Criticism of the Settled Status system on Twitter and elsewhere is not misplaced. The arbitrariness and institutional brutality of this system is harsh enough already for people who have no choice but to go through it; no action taken by British citizens seeking to support them should cause any unnecessary burden upon public bodies beyond the Home Office, nor cause any legitimate applicant undue additional distress.

For every Government data error that forces Home Office officials to ‘pause’ a decision and go back to a lawful resident, requiring them to provide additional evidence for manual checking, the Settled Status scheme will go incrementally over budget. The evidence of the pilots thus far suggests there will be many, many such errors.

Going Forward?

In 2006, then Home Secretary John Reid admitted the Home Office was “not fit for purpose”. Then in 2007, the balance of justice was shorn off as the Ministry of Justice was formed. In the subsequent decade, the Home Office has become increasingly detached from any sense of humanity or justice, with terrible human consequences that must be dealt with. Some of those can be dealt with in legislation imminently before Parliament – such as the EU Withdrawal (Implementation) Bill – some in the longer term, in the future Immigration Bill. But these will only be short term fixes, to some current problems.

Following the resignation of his predecessor, the current Home Secretary has begun a review of the Home Office – a necessary first step, in the same way the Butler Review was a prerequisite for the Chilcot Inquiry.

Given recent high profile embarrassments – the Windrush scandal, backtracking on plans to scrap ‘golden visas’ for rich investors, and a new visa outsourcing service that puts applicants at risk of deportation – and the ever-widening consequences of the hostile environment, whatever follows Sajid Javid’s review of Home Office structures and processes will be required to include the Settled Status scheme.

Will we let the institutional failures of the Home Office repeat themselves yet again, affecting yet another group of our friends, our neighbours, and our relatives?

Posted in database state, settled status | 1 Comment

What does Government think it knows about you?

EU citizens, and others, are rightly concerned about the sources of data that Her Majesty’s Government will use to do data-matching as it decides who has residency, and who does not. In general, data quality across Government is terrible.

Indeed, many key Government data systems are a mess. Some progress has been made in the last decade – for example, DWP’s core system now has only around 80 million active records today for 60 million people, down from nearly 120 million a few years ago.

Improvements like this provide little reassurance however to anyone wanting to know if the system will work properly for them, or their family.

Using currently available tools therefore, this is how you can find out what activity history DWP / HMRC / DVLA hold on you. N.B. This applies to British citizens too; would you receive residency if the Home Office decided you suddenly weren’t British enough?

To check:

HMRC (tax payments):  https://www.gov.uk/personal-tax-account  

DWP (NI contributions): https://www.gov.uk/check-state-pension   

DVLA (driver’s license): https://www.gov.uk/view-driving-licence

UPDATE: The Home Office ‘EU Settlement Scheme: Statement of Intent’, issued on 21 June 2018, confirms in paragraph 5.2 that the online application process will be checking HMRC data and “in due course” data held by DWP as well. (The Home Office may or may not check DVLA data for ‘settled status’, which is linked for many by their passport photo and signature.)

To get a copy of your records, you will be asked to use your ‘GOV.UK Verify’ account something you can set up the first time you need one. Replacing the Home Office’s flawed ID cards scheme, GOV.UK Verify uses a small number of certified ‘identity providers’ to assure your identity, rather than forcing the Home Office to spell your name right in its files (that it refuses to show you).

You can create a GOV.UK Verify account (or multiple accounts with different non-Governmental providers, such as the Royal Mail or the Post Office) using the provider that works best for you some providers have iPhone apps if you have an iPhone, and some work even if you don’t have a mobile phone at all. Providers use different evidence to confirm identity, so if one doesn’t work for you, try another one. (Post Office seems to work well for people with official documents, or you could try Experian if your history is mostly related to finance.)

When you find mistakes in your data… if the information that any or all of these Departments hold about you is wrong, the services I’ve linked to above tell you how to start the process of correcting it with them. (It probably helps to know that the helplines they provide are staffed by people who are measured by whether they helped you or not, rather than whether they pissed you off or not.)


About me:

From 2004-2011, I was the national coordinator of NO2ID, which successfully campaigned to abolish the ID cards scheme in the UK. The Windrush scandal is appalling enough, but it would have been orders of magnitude worse had the Home Office cancelled the victims’ mandatory ID cards, that everyone was told to assume legal residents would have – it cancelled their passports after all.

The only thing that ID cards will cause is more misery. If ‘punishment cards’ are proposed by either side of Brexit, it just shows they have no new ideas for the future – they are simply grasping for the failures of the past. While no solution’s ever perfect, we keep a close eye on what Government is doing with identity and at this point it’s GOV.UK Verify or an ID cards scheme run by the most punitive Home Office the country has ever seen.

Pick a side.

I now coordinate medConfidential with Sam Smith (who has a companion piece), helping protect the confidentiality of your medical records. We take donations (and sell badges!).


Posted in database state, GDS, ID cards, identity, NO2ID, privacy, transparency | 3 Comments