Meet the brokers selling your private health data

“Data saves lives,” Jo Churchill, a health minister, told MPs earlier this month. “It’s as simple as that.”

Is she right? Churchill’s bold assertion came in response to a campaigner-induced delay to the rollout of the General Practice Data for Planning and Research scheme – GPDPR for short. The programme, part of a process of NHS digitalisation, would have seen pseudnoymised data on the public’s treatments, referrals and appointments across the last ten years extracted from doctors’ surgeries in England.

The programme, advocates argue, will legitimately use the data for healthcare planning and research purposes”. But, for campaigners and critics, it represents a vast NHS data grab, sparking fears of an irreversible privacy breach.

Health websites like Bupa, Healthline and WebMD sold the data of visitors to Google’s DoubleClick, which accounted for nearly 80 per cent of their ad sales. Nearly half of acquired data was sold to Amazon. But public healthcare is being targeted, too.

Successive Tory governments have aided the emerging patient data “market,” as they see it, by creating central databases and loosening protection rules.

Laying the groundwork

A few years ago, the Telegraph put it bluntly: “The medical records of every NHS hospital patient in the country have been sold for insurance purposes.” Using a metric called NHS Hospital Episode Statistics, the Institute and Faculty of Actuaries conducted an experiment in which they obtained thirteen years’ worth of patient data in order to explain how insurers and brokers also obtain patient data.

Basing the proposed US-UK “free trade” deal on Donald Trump’s US-Mexico-Canada Agreement, secret Anglo-American trade papers state: “On data flows, … no parties will restrict information.” The texts argue that this falls under the rubric of “open government data.” The US corporations “have benefited from academia and consumer groups having access to data.”

This is exactly what the Tories previously attempted with their failed care.data programme

Under the cover of promoting efficiency, personalisation, and savings of up to £66bn a year, the Tory-Liberal Democrat coalition (2010-15) introduced care.data: a health-sharing initiative that would open GP and hospital data to biomedical innovation. The Health and Social Care Information Centre (HSCIC), later NHS Digital collected identifiable patient data such as gender, birth date, and postcode. Experts Lizzie Presser and the team note that, thanks to HSCIC, “Bupa, BMI, Care UK, and management consultants, including McKinsey, Ernst & Young, and GE Finnamore, received patient data.”

Other experts comment: “Care.data can be understood as an attempt by the state to place itself as the new, central, data broker.” Noting the finding of Britain’s National Data Guardian, Fiona Caldicott, the British Medical Journal noted that: “Increasingly frequent data breaches confirmed growing fears among GPs and sapped public confidence.” Public pressure and GP concerns forced the government to scrap the agenda.

In 2016, it was reported that Google’s DeepMind got in on the action by designing a proof of concept called Patient Rescue that enables Analytics to provide data streams of vulnerable patients to NHS Hospital Trusts in England. According to the secret contract, DeepMind was allowed to share patient data with third parties, as long as it “minimise[d] disclosure” (whatever that means in practice) and limited access to a “‘need to know’ basis” (ditto).

In the burgeoning biotech era, patient data now means tapping into the very genes of life. Genetic information stored by private biotech firms like 23&Me “is valuable for pharmaceutical companies,” says a report by the Westminster think tank, Reform. As Alibaba, Amazon, and Google access the genetic analysis market, “they will want access to large scale datasets.” Companies should, therefore, be “prepared to pay a premium for access to such rich genotypic information.”

In 2018, GlaxoSmithKline invested $300 million in 23&Me for an exclusive license for user data. Some biotech companies like Heterogeneous and LunaDNA even offer services to individuals to monetise their genomic info.

Who are the brokers?

For some, data brokers, data processors, and credit agencies describe pretty much the same kind of corporations: entities that profit from personal data, often without the knowledge or informed consent of the individual. Such data are supposed to be anonymous.

In 2019, the licensing agency Clinical Practice Research Datalink changed their regulations from “anonymous” to “anonymised.” This was in line with the Department of Health and Social Care’s selling of NHS patient data to foreign and domestic drug companies for an estimated £10 billion per annum. Solutions firm Genutex says: “The problem is that the data has not been properly anonymised.”

Worth $5 billion worldwide, the Dublin-based Experian describes itself as a credit broker that works with, among others, Barclays, Lloyds, and Virgin. The Tory-Liberal Health and Social Care Act (2012) incentivised privatisation by making NHS Trusts balance their own books. NHS England encouraged 51 Trusts to engage with major credit firms. The original aim was to sniff out foreign “health tourists.” But between 2015 and 2019, the Lewisham and Greenwich Trust allegedly sold patient data to Experian.

In 2020, the Information Commissioner’s Office (ICO) threatened to fine Experian £20 million unless it tightened up its data-sharing practices. CEO Brian Cassin, who reportedly made £10 million in 2020, says: “[During the pandemic, o]ur data has helped local authorities, NHS Trusts, fire services, food banks, councils and other major charities to get help and support to the most vulnerable.”

Bounty is an online club that provides information to new parents. But, until it was fined by the ICO, it also sold 30 million records of its users to the Arkansas-based Acxiom (owned by the Interpublic Group and worth $2.3bn), the Georgia-based Equifax (worth $4bn), and the multi-national Indicia Konica Minolta (worth $1.2bn). But this is just the tip of the iceberg. The ICO identified 39 credit reference and marketing groups to which Bounty had sold data.

The London-based Xantura says that it uses data to find solutions for vulnerable families, poor people, at-risk elderly, and ethnic minorities. But new initiatives like data-driven predictive risk models and social impact bonds have turned poor people from having negative profit value to positive returns.

Like NHS Trusts, non-Tory councils have also suffered central government spending cuts and look to provide cost-effective services. Between 2015 and 2018, Hackney Council paid Xantura more than £360,000 to develop an Early Help Profiling System to detect at-risk families. In May last year, the Chartered Institute of Public Finance and Accountancy hired Xantura to develop Covid OneView: a predictive risk model for vulnerable people in the pandemic. The Daily Mail reported the news presumably as part of its ongoing attacks against local councils, but nevertheless found that Xantura’s data collection could include information on personal finances, debt, and tax returns.

What can you do?

From the collapse of care.data to the delay in the recent opt-out scheme, history has shown that selling private NHS data goes down well neither with medical professionals nor the public. It is a little difficult to challenge a government that a) has a huge majority and b) is committed to using that majority to destroy the NHS, but there are plenty of options.

In addition to writing to the companies involved to express concern, we can join pressure groups like Privacy International, which has recently exposed the Alexa/NHS contract. We can support class action lawsuits (the rulings of which apply to everyone, not just specific people), like Lloyd v Google, in which it was ruled that Google could no longer use loopholes to access iPhone user browsing habits.

At the local level, we can file Freedom of Information Requests with councils to ensure that they are not hiring data brokers that have been investigated by the ICO. At the national level, we can pressure the opposition Labour Party to include in the next manifesto tighter data protection and harsher fines for breaches. The recent LibDem victory in the Tory stronghold of Chesham and Amersham prove that campaigning on the right issues in the right constituencies can oust Johnson’s mob.

Fear and hopelessness make us apathetic. Don’t let these companies win!

Related: Tories suffer humiliating defeat in Chesham and Amersham by-election