Things have moved on rather dramatically since my last blog post on the topic. care.data has been delayed by another 6 months, there were some scandals on shared HES data, several Westminster meetings, the last of which produced amendments (and for once no ministerial errors of fact?). I have now also started giving lectures on care.data (to Kent students this week, to Bristol colleagues in a few weeks’ time). So it makes sense to provide an update of my views on the issues here. This in addition also to an article I wrote last week on the 3rd party use of the data.
The legal set up, and weakness of DPA: the parliamentary session on Tuesday 11 March considered and voted down an amendment to increase the penalties on abuse of the data. The contrast between 20 well-informed critical MPs from both sides of the house and a few health ministers discussing the issue, and a mob vote of 500 MPs is a bit shocking. See here for a sensible amendment and reasons why the government’s accepted amendment isn’t good enough. Of course, the new European data protection directive, once agreed by the Council of Ministers and effected in the UK, will allow more serious penalties than the current DPA – up to £100M or 5% of a company’s turnover.
Intelligence services: still a risk, no progress. Had a nice time talking at a Law Society debate on Mass Surveillance last week, where I did manage to drop in care.data as maybe the story that wakes up England on privacy.
Honeypot Value and security: HSCIC have declined to answer a Freedom of Information request from Julia Hippisley-Cox asking to report on the number of past data breaches and audits. Given that even NSA and the big tech companies have been shown unable to protect their own secrets, this worry will never go away completely.
On potential abuse by commercial companies: see my article “Time for some truth about who is feeding off our NHS data” for an overview and analysis.
Anonymity: let me write a separate post on that. I may have been naive so far.