NHS breaks GDPR rules – are you compliant?

By Chris Dawson September 13, 2018 - 3:26 pm

I recently received a text message from the NHS, begging me to download and install a mobile app to book and cancel GP appointments and set up medication reminders which totally breaks the GDPR rules.

Firstly, I haven’t seen my doctor for at least four years and don’t take regular medication. More importantly, having had no contact with my GP since well before GDPR rules came into force they have no right or prior consent to be spamming me with text messages. I haven’t agreed to receive them.

Sending messages without consent is bad enough although they could technically argue that as a ‘customer’ and being registered with Thatcham Medical Practice they have the right to spam me. However what they don’t have the right to do is send text messages that don’t contain a simple way to opt out of receiving future spam. There’s no opt out link, no information as to how to prevent future text messages and the message is sent from NHS-NoReply so there’s no contact details and consumers can’t even reply to the spam.

Perhaps as a government department the NHS believes themselves to be above GDPR and that it doesn’t apply to them but it does. They don’t have the right to send messages without opt outs any more than any other organisation or business.

The 7 GDPR rules

As a reminder, there are seven main GDPR requirements and rights that you need to be aware of. The first three clearly apply to retailers and the others are generally aimed at larger businesses.

  1. Active Consent

    You may no longer add people to your mailing list and give them the choice to opt out. You also can’t auto tick a sign up form and rely on customers to untick them, equally you can’t auto-subscribe customers unless they find a tiny box which they need to tick to opt out.

    From Friday, customers need to make a very clear choice to opt into your marketing and they have the right to withdraw this consent so you need to offer clear unsubscribe options.

    The biggest change for many online retailer is that you can’t simply add every customer to your mailing list – they have to actively choose to do so. Without an active opt in then the customer should only receive emails related to their purchase.

    It goes without saying that if you sell on marketplaces their terms and conditions generally prohibit you from adding customers to your own mailing lists. Just because they made a purchase from you on a marketplace doesn’t mean that you own the customer data. Not only will you be breaking the marketplace user agreement but from Friday this will be a clear breach of GDPR.

  2. Use of data

    Users have the right to know how their data was acquired and who it was shared with. If someone asks how they’ve ended up on your mailing list be prepared to tell them when they signed up or which company gave you their data. You also have to disclose which companies you have (or may have) shared it with.

  3. Right to be forgotten

    Customers have the right to have their data erased which is slightly problematic for retailers and tax purchases, but not so for marketing lists. You’ll need to discuss with your accountant just what data you need to save in case you have a tax inspection. Do you really need to save every bit of data you acquire – customer name, email address, phone number, mailing address, banking information etc in your accounts program or would the order number/invoice number products purchased and sale price be sufficient?

    Of course for marketing it’s nice to be able to see prior purchases from a customer for future marketing but customers can now decide they don’t wish you to be able to do this and request you erase their data.

  4. Privacy Options set to high

    Online services will have to set your privacy options to the max as a default in future and you will then have the choice to relax them if you so desire. For instance on social network sites just because you can share your phone number, email address and date of birth with the world doesn’t mean you would want to. There should be an option for you to choose who gets to see your data and that includes third party apps and services that may have access to your data even if it’s not publicly displayed.

  5. Algorithmic Outcomes

    Companies should offer an explanation of algorithmic outcomes from machine learning and artificial intelligence to enable customers to opt out should they wish to do so. An example of this would be examining a customers past purchases in order to provide relevant product suggestions in future marketing. In many cases a customers option to opt out might simply be to offer to close their account as AI and machine learning are so deeply embedded into today’s online services. However, you’ll have noticed many online services offering an option to opt out of tailored advertising which they promote on the grounds of relevancy – if you opt out you’ll still see adverts but your personal data and preferences won’t have been used to choose them.

  6. Easy data portability

    I have to give Google a shout out here that whenever you choose to leave a Google service they make it very easy for you to download your data and take it with you. Not all companies are the same however but they’ll need to be so in the future.

    This is actually important for consumers and small businesses as well as large corporates. In the very near future for example, we’ll all be doing our tax and VAT online and will likely use various third party services to do so. Should you decide to switch the service you use for your online accounting, they have to offer you a very easy way to move your data to your chosen new partner.

  7. Data Breaches

    Some companies have in the past sat on news of a data breach for considerable periods of time. Should a company discover that their data has been accessed then in the future they have just 72 hours to report it. They can no longer try to fix the problem or cover it up or delay making the breach public knowledge.

  • Rachael
    11 months ago

    B&Q refuse to remove me from their email database, unless I scan and send in proof of identity ie passport or driving licence – why the heck would I send that when I just want them to stop sending newsletters . its getting on my nerves

  • Tim
    11 months ago

    Thank you for posting this. it reminds me I have to write and complain to NHS DATA.

    The NHS are apparently are alsototally diregarding / breaking GDPR by accessing and using personal data if you have made it clear to your GP’s surgery you do not want it to be used except by them… as confirmed with the ICO’s office – see below.

    FYI, there are apparently now THREE different codes you need to have on your GP medical files to stop this, The problem is the NHS don’t publicise it and my very IT/Data Protection Act literate GP s office manager was shocked when she realsied they (NHS SPINE) had moved the goal posts again AND NOT TOLD ANYONE.

    Prior to GDPR I attempted to “Confirm” the NHS Spine wasn’t bleeding my personal data. I had been opted out (as my surgery manager later confirmed they had acted on my requests dating back to 2006) for NONE of my personal data being sent to “the spine” under ANY circumstances, AND in any case outside the surgery UNLESS it was as a driect consequence of seeking medical assistance. I even spoke at the time to my PCT to ensure they were aware of my explicit wish.

    Early in 2018 I’d an article about a form you could request from NHS DATA to confirm IF they had opted your data out of the spine. I called them directly (I record all calls…) and requested the correct firm to confirm I was opted. It arrived in the post, I duly completed it , enclosed copies of ID as required and just for good measure stated I ALSO wanted to make a SAR (subject Access Request under the then DPA 98).

    That was back in April 2018, and after four phone calls I call the Data Commisioners office in Cheadle and have been advised to put a complaint to the NHS in writing detailing the following:

    The address given on the form to send the package of my personal data tgo was wrong! Delayed it being processed because it had been “round the houses” and had to be forwarded to NHS DATA! Data Breach # 1 .

    They have STILL not replied to my request for an SAR except they claim that I need to send proof of ID, depite their helpdesk agreeing that they already had my ID, and still haven’t replied to my calls to ask why they need me to sedn them again.

    Under “what authority” are NHS DATA NOW processing my personal data (post GDPR / DPA 2018) (this specifically was of expecial interest to the adviser when I spoke to the commisioners office)

    Also and this is a corker. When I tried to confirm IF I had been opted out over the phone they were able to locate both a current mobile number and an old email I haven’t had for nearly ten years, WITHIN the NHS DATA SYSTEM! Apparently they have a way of verifying callers by sending a text / email to the details they have on thier system for you. They were able to verify me by sending a text to my (Personal) mobile, and was then told that there was no personal records for me on their system.

    Which beggars the question, what then what do they think my personal mobile number and my email starting firstname.surbname@… is if not processing my personal data!! Also as the surgery agreed to not ( and claim they haven’t) sent my data out of their surgery, how did the NHS DATA get hold of my personal mobile and old email address!

  • Matthew
    11 months ago

    @Tim – your basic details including contact information are automatically uploaded by your surgery to the Patient Demographic Service which sits on the Spine. Opt outs prevent clinical information being uploaded/ shared but not biographic.

    • Tim
      11 months ago

      ps @Matthew.
      re “your basic details including contact information are automatically uploaded by your surgery to the Patient Demographic Service which sits on the Spine. Opt outs prevent clinical information being uploaded/ shared but not biographic.”

      I beg to differ The doctors surgery claim they have not “automatically” uploaded my details to anywhere, and whats more I have worked closely with the Surgerys Office Manager for decades. They are also of the same opinon on the use of their personal data in the spine as myself. They were horrified when I asked her to investigate why the safguards we both though woul stop my data being pulled onto the spine that they also contacted there own Drs to ensure she had not had her data pulled by HSCIC!

      Frankly this is a disgrace the way that they ignore explicit wishes of the data subjects and move the posts without informing us or even the surgery oractice managers of what is happening.

      I explicitly excluded permission for ANY uploading of my data to leave the surgery and placed “centrally”.

      Matthew thank you for your replies, and useful insight. Can you point me to where I can find details of the data sets, for instance used in the PDS?

      Regards, Tim

      Also “Biographic data”,

      have not “automatically uploaded
      I have a close working relationship with the office manager at my surgery who confirmed my understanding that not only was it a “Pull” of data from HSCIC, that she also is against the spine and confirms she has never “uploaded” and of tghis data Subjects Data

  • 11 months ago

    GDPR is already a distant memory.

    I have just booked a Premier Inn stay (yes, I’m a high flyer 😉 ) and the message on checkout still read, “To opt out of receiving marketing emails please untick this box”.

    Nobody cares it seems.

  • Tim
    11 months ago

    Out of interest which GDPR rules is this breaking?

    • 11 months ago

      under GDPR tick boxes should always be required to opt in, not out – this is called the “positive opt in” – also noticed it on Premier Inn!

    • Tim
      11 months ago

      Hi Tim, Please see my reply below, and as per Samphire espcially the continued the use of subjects opting out, and reviews when they change how they process subjects data.


  • Matthew
    11 months ago

    @Tim – “Under “what authority” are NHS DATA NOW processing my personal data (post GDPR / DPA 2018) (this specifically was of expecial interest to the adviser when I spoke to the commisioners office)”

    NHS bodies – like many public sector organisations – are performing a ‘public task’ and that is their lawful basis for processing:

    • Tim
      11 months ago

      @Matthew, Thank you for your reply and the the link, I was of this being responsible for reviewing (and referred to numerous sources) GDPR in detail for a project to implement GDPR into a regulated environment.

      I don’t see documented ANYWHERE what NHS DIGITAL state is actually their lawful basis for processing data. Anyone have a link to it?

      All they claim is that “Directions from NHS England allow NHS Digital to capture local healthcare information for commissioning purposes. “ I Guess if NHS England say they that’s OK then…

      I do however remember section 251 of the NHS act 2006 see In there is a futher link that explains the Common Law Duty of Confidentiality….

      I also can’t locate any Fair Processing Notices (FPN’s) either except for NHS employees are the NHS exempt

      As mentioned the ICO operator I spoke to was also extremely intrigued on what possible lawful basis they claim for processing (in particular mobile and email) for a data subject (me…who in addition to explicit written instructions on the records for over a decade) that NO personally identifiable data must be given up then or in the future outside the surgery* ALSO has the full set of NHS opt-out codes. Even now the one they didn’t publicise is Acctionable “OPT-OUT” and so the lawful basis “performing a public task” imho (supported by my discussion wuth the ICO) for processing can’t stand.

      *2013 September 27 Dissent from secondary use patient identifiable data Nu0
      and then
      2018 July 11 Dissent from, disclosure of personal confidential data by HSCIC 9Nu4

      Note these are OPT OUTS ! NOT OPT INS!

      Note also that when the new requirement to have to AGAIN OPT OUT, which the HSCIC have decide to provide yet another opt out code was done on the QT, HSCIC made the decision this time to NOT INFORM THE DATA SUBJECTS OF THIS OPT OUT!

      They informed us (if you were paying attention) and the Data controllers (in the Drs Surgery) of the opt out 93C3 and Nu0, but decided as a mater of policy for the new 9Nu4 to NOT INFORM ANYONE OF IT!

      THE ICO operator, in light of there STILL being a requirement to OPT OUT AND the purpose for which the data was given (note phone number and email..) and for what purpose for which it was previously provided TO YOUR DOCTORS SURGERY ONLY, suggested that the implications of OPT OUT requirements still being used further suggested a valid question is to ask is…

      To also ask NHS Digital for details of ALL the changes in processing / use of the data over the years, can we have evidence that “they have carried out a review of the Lawful Basis for EACH AND EVERY change“

      Then again despite asking several times and trying to have them keep my complaint open NHS Digital are still unable to answer why my SAR (made in April 2018) hadn’t been accepted /actioned and they were still demanding proof of ID sent to them in April 2018!

      I will at some point write all this up in the form of a complaint and send it off. However if anyone can shed any light to answer the two questions above (with sources). It’d be very much appreciated.

      Regards Tim

  • 11 months ago

    Remember the good old days, when you could browse the internet without every webpage you looked at having a popup about cookies or GDPR that you need to click on to make it sod off so you can look at the actual page?

    Now it’s been redesigned for the snowflakes.


    Thanks EU!

Featured in this article from the Tamebay Guide – companies that can help you grow and manage your business.

See More Companies >

Recent Comments

3 hours ago
Front Liner: If you are happy with the way your goods are delivered and received, then...
8 hours ago
Ridwan: when they are likely to start in UK?...
8 hours ago
Rob: @Front Liner Thats odd as I send quite a bit of stuff up to remote Scotland...
10 hours ago
lan H: I gave up selling on Amazon, too many hurdles - and too much rule changing....