It would seem difficult for IDS's Universal Credit to become
any more farcical, but under the DWP's latest change to the rules, your medical
records are open to all. Well, not quite all, but a quietly introduced
amendment snappily titled as the Social Security (Information-sharing in
relation to Welfare Services etc.) (Amendment) Regulations 2015 means that
from 13th February IDS will be allowed to share the medical information of any
Universal Credit claimant with any or all of: Local Authorities, charities
working with DWP, the Citizen's Advice Bureau, Credit Unions and Social
Landlords*, and do it without asking your permission.
The Social
Security (Information-sharing in relation to Welfare Services etc.) Regulations
2012 being amended state:
7.5 Being able to share person’s
data without needing to seek their consent every
time will help to speed up decision
making, make the process of applying for a local
benefit or service much simpler for
the individual, and ease the administrative
arrangements
by removing the need to collect and record consent.
While their
Privacy Impact Assessment notes:
2.5 The
effect of these legal changes means that in relation to the purposes described,
it will no longer be necessary to first obtain the consent of the person whose
data is being shared.
(We should probably have been concerned when the original
regulations went through, but it has taken the Amendment to draw them to
people's attention. The sheer scope of Universal Credit means that the number
of people potentially falling within the scope of the Regulations has just
massively increased).
The Assessment also notes:
4.17 For
the purposes set out in the 2012 regulations, we expect the total volume of
data being shared to be significant.
And the figures given across a variety of areas imply that
even before incorporating Universal Credit claimants the provisions for data
sharing without prior permission were likely to affect at least one, and possibly
several, million people per year.
* For clarity, 'social landlord' excludes private and
for-profit landlords, but includes practically everyone else in the housing
market, whether housing associations, not-for-profit organisations, charities
or whoever.
In Practise
For the moment the fiasco that is Universal Credit means
there should only be limited impact for disabled people, as we have all
allegedly been declared too complex for the system to cope with, but IDS
appears to be making every effort to make it impossible for the next
government, whoever they are, to back away from fully implementing Universal
Credit, and the longer term aims are that Universal Credit will eventually
spread its tentacles to enmesh: child tax credit; housing benefit;
income-related ESA; income-based JSA; income support; parts of the social fund;
and working tax credit - in other words practically every working-age adult in
the country, including those in work, is going to end up with a Universal
Credit claim of one type or another (DLA and PIP are currently excluded - but
how long will that remain so?). A lot of these claims will require you to tell
DWP about medical conditions and disabilities, in particular ESA (and JSA if
you're disabled but able to work) will deliver practically a complete medical
history into DWP's sweaty hands.
Now even organisations with a long term responsibility for
medical privacy often make a complete arse of it, Big Brother Watch
uncovered
2500 patient data breaches within the
NHS on an annual basis, including data being stolen, posted on social media (50
cases a year!) and so on down to plain old-fashioned gross incompetence. And
that is from an organisation focussed on medical confidentiality, with training
and procedures in place and with a full understanding of its legal liabilities.
DWP meanwhile is planning to hand medical data over to organisations which have
never previously had the responsibility for holding medical data and all the extra
legal responsibilities that brings under the Data Protection Act. Some of these
organisations should hopefully have data protection policies and data
controllers in place, but even for those DWP are talking about handing them
data which raises their legal obligations to a much higher level. For
organisations that have never held medically sensitive information, such as
small employment-focussed charities, credit unions or social landlords, are
they even going to be aware of their legal liabilities? Are their staff
trained? Are their staff likely to have appropriate attitudes? Do they even
need this information?
While there may well be cases in which people are happy for
data to be shared, the reality is that a lot of DWP's existing knowledge of
medical conditions and disability was given to them under the presumption that
the data would remain within the organisation (as the Data Protection Act can
reasonably be assumed to require) and in many cases was given with extreme
reluctance in the face of an overtly abusive system (been there, done that).
And the instant you have a change of circumstances that results in you falling
into the clenches of Universal Credit, DWP has just written itself a get
out-of-jail-free card that allows it to legally share that information with
anyone it wants.
Longer Term - Where Will This End?
While people have been focussing on the immediate impact of
this change, I think we also need to look at what it might mean in terms of
what we know about DWP's longer-term data-sharing objectives. We have already
seen individual DWP sponsored projects making a bid for direct access to our
medical records, potentially for use in enforcing treatment as a condition of
benefit receipt, we know DWP applied for access to the Hospital Episode
Statistics database (summarising the details of every hospital stay) because it
was one of the requests HSCIC turned down as too unreasonable to consider, at
the same time they were freely handing the data over to insurance companies for
use in price-setting. Meanwhile the Health Select Committee
speculated
that DWP will seek access to Care.Data, the controversial national database
hoovering-up every patient's medical records from their GPs for research
purposes (including commercial research purposes).
33. DWP
is actively supporting the development of the National Fraud Authority‟s (NFA)
intelligence sharing roadmap. IRIS will form one of the public sector hubs
which will facilitate new data shares with other public and private
sector counter-fraud bodies. DWP are continuing to work closely with
the NFA in designing the intelligence sharing architecture and the legal
framework.
And
39. DWP
will ensure that the Universal Credit ICT system will support the production of
aggregate data for use and re-use by industry and academia through open
publication
And, getting back to health,
43. The
publication of anonymised fit note data could provide healthcare professionals,
individuals, employers and service providers (eg the occupational
health sector) with an indication of the volume and content of fit notes at
aggregate level. This in turn should help improve management of sickness
absence and drive innovation in the occupational health and rehabilitation
sectors
48.
Linking welfare data sets. The Government will consider opportunities for
linking welfare datasets to other government and commercial datasets
to increase their value to industry.
49.
Industry consultations have indicated that many data sets held by DWP have a
high market value. However, this value would be enhanced in combination
with commercial and other public data sets.
Equally, discussions at the Government-sponsored
datasharing.org have had a significant focus on integration of DWP and HMRC
datasets for use in a counter-fraud role. Combating fraud may be necessary, but
many benefit claimants, myself included, know from first hand experience that
DWP's response to alleged fraud tends to be intimidate first, ask questions
later, no matter how ludicrous the accusation, no matter how damaging the consequences.
When DWP attitudes towards data-sharing are primarily driven by their punitive
use or commercial value, that makes extension of data under their control
increasingly problematic.
The regulations under discussion here, together with the
attitude to 'Big Data' shown above, betray the attitude to privacy that DWP is
likely to bring to bear on HES or Care.Data if it ever gains access to them,
and the threat that exists to what medical data it already holds. If DWP does
gain access to HES/Care.Data, and we know that it wants access to this kind of
data, then the (less than convincing) anonymity of HES and Care.Data is
instantly compromised as the information is useless to DWP unless they decrypt
individual identities and jigsaw the information with their own databases. This
will create a situation in which every citizen's medical records transition
into the hands of an organisation that, rather than seeing privacy as an
obligation, sees itself in a punitive/data broker role and doesn't just want to
share data, but is re-writing the law to ensure it can, no matter what the Data
Protection Act might say. If DWP get their hands on our medical data on a
national scale, then Medical Privacy in any real sense may cease to exist.