back to article 'Coding' cockup blamed for NHS cough-up of confidential info against patients' wishes

Confidential information on 150,000 NHS patients has been distributed against their wishes for years due to a "coding error" by healthcare software supplier TPP. NHS Digital, the body that oversees the healthcare service's use of data, fessed up to the bungle – which saw data on the affected patients used in ways they had …

  1. Dan Wilkie

    What the hell kind of audit log doesn't log user id's?

    1. Anonymous Coward
      Anonymous Coward

      Weird, it should do.

      Users have to use an authentication keycard plugged into a keyboard just to log-on, so the system should know what keycard was used to log-on and when.

      1. Anonymous Coward
        Anonymous Coward

        Weird, it should do.

        Users have to use an authentication keycard plugged into a keyboard just to log-on, so the system should know what keycard was used to log-on and when

        Users access clinical NHS applications by being authenticated against the national SPINE, using an encrypted key on a Secure ID card plus PIN or password. However, these applications (i.e. medical imaging, electronic patient records) are totally separate systems linked by a common framework, so once granted access to an application and allowed the appropriate permissions, it's up the developers as to what is audit logged.

        If they or the application designers decide they can't be arsed to look up your identity for auditing purposes and just log the Trust or organisation you're accessing the application from, then unfortunately that's all that will get logged.

        1. Yet Another Anonymous coward Silver badge

          Or the keycard is left in the machine with pin written on a postit.

          I hope so. I don't want the ER doc with their hands in my chest to have to let go of the artery to go and logon to get my blood test result

          1. steviebuk Silver badge

            No but in A&E they all have generic logins and the login details are taped to the monitors. That is the situation at one trust I worked at.

          2. Anonymous Coward
            Anonymous Coward

            Of course in that situation whoever's assisting would use their login, they're not just shouting out to members of the public passing by, "quick log in and check this man's/woman's/bison's blood group!"

            That said, persuading people not to share logins is sometimes difficult, seems to vary by location.

        2. AndrueC Silver badge
          Meh

          Users access clinical NHS applications by being authenticated against the national SPINE, using an encrypted key on a Secure ID card plus PIN or password.

          Sadly not always (maybe not often) in primary care. In primary care there's not much standardisation - there's probably a lot of smaller surgeries and clinics that don't even operate a domain let alone single sign on.

    2. James 51 Silver badge

      It's not that it isn't logging ids, it is that there one id for an entire organisation. Or the department might have a login. The team might have a login, the app they use might have its own login. They aren't tied to individuals so you can't say who used it.

      1. steviebuk Silver badge

        Each Doctor has a card they have to put in the keyboard to login. So it should be able to audit them.

        1. Aladdin Sane Silver badge

          Assuming the login details on each card are unique and never reused.

          1. steviebuk Silver badge

            They aren't allowed to share the cards.

    3. AndrueC Silver badge
      Meh

      A bad one?

    4. Anonymous Coward
      Anonymous Coward

      What the hell kind of audit log doesn't log user id's?

      It's political correctness GDPR gone mad I tell you!

  2. Adrian Midgley 1

    The rule I proposed

    Years ago, that each access to your healthcare record must produce a line in a report to you which is given to you by default would have fixed this.

    Who looked, at what, why did the say they did, what is the right they assert to do so.

    And optopts were not requests!

    They were orders.

    1. Cav

      Re: The rule I proposed

      No it wouldn't. There would be errors in that too.

      Given to you by default? An annual report or after every hospital stay? Who will pay for the report to be generated and sent out? Hardcopy, of course, unless you expect granny to login and view the electronic version.

  3. Pascal Monett Silver badge
    Mushroom

    "unreserved apologies"

    How about "immediate resignation" ?

    1. Jemma Silver badge

      Re: "unreserved apologies"

      I'm thinking immediate headshot. My medical information is my medical information. It is *NOT* for monetisation by every pointy haired cretin this side of the Kuiper Belt.

      And when you well meaning dribbling idiots and idiotettes at the NHS have finished cleaning up the splatter - how about a list of EVERY SINGLE GPs Surgery affected and a nice even £50k in damages to every patient concerned.

      Some of us opted out for very good reasons (not the least of which that it violates legal protections for minority groups) and this should have been respected.

      1. John Brown (no body) Silver badge

        Re: "unreserved apologies"

        "a nice even £50k in damages to every patient concerned."

        Nice idea. Fine the underfunded and overstretched NHS.

        1. Jemma Silver badge

          Re: "unreserved apologies"

          I have precisely zero problem with that. Maybe after the first 15 times of being fined they might employ managers who don't have to change down into mental low-range to achieve words of more than two syllables, or coders who actually know that BNF (Bachus-Naur form) is a process coding and programming tool - not a rare special edition Simca 1108. And who can code in something OTHER than BLOODY VISUAL BLOODY BASIC!!

          Or maybe - and I know I'm wishing here - they'll employ consultants who don't hang around drag clubs (supposed to be the titular head of transgender treatment, pun intended) and tell terminally ill teens to effectively FOAD (Fuck off and die). Or they'll even have the lockdown passwords for AN ENTIRE HOSPITAL worth of computers off the support manager before he sods off to Dubai and doesn't leave forwarding details - preferably before they employ people to update/replace the anti-virus.

          Or here's a thought - maybe it'd be a good idea not to lose £1m because some manager had a bright transport idea, set everything up without telling a single colleague and then promptly dropped dead.

          The NHS has been a joke since it started but it's been getting less and less funny. It's now like a cross between Carry On Up The Pandemic and a documentary about the talents of British Leyland accountants scripted by Love Island rejects and performed entirely in Brythonic (probably in a "pissed out of his mind" drunk Scottish accent or variations thereof).

          No one has the faintest clue what's happening and where or why, the accounts probably read like a cross between Lehmans and something the Phoenix Four might cook up (assuming anything before 1983 is actually obtainable). The computer systems would be better placed starring on an episode of Dilbert or possibly Spongebob. The managers at least at my local hospital have all sodded off home by 3pm at the latest and the only reason the nurses and the rest of them aren't on strike 3 days a week is they can't use piecework as an excuse (look up the "two screws" Triumph "Innsbruck" strike as an example), and there aren't any trades unions "organisers" left capable of raising a colestomy bag, let alone a riot.

          The NHS is basically a company - a publicly funded one - but a company nonetheless. It's end product is (hopefully) healthier people going out than came in. All it seems to produce is platinum plated fuckwittery of epic proportions, incompetence and mindless cruelty. Why? Because everything other than management salary is on the cheap - hardware - cheapest possible option, software - mentally 13 year old script kiddies who wouldn't know good code if the mainframe running it dropped on their heads.

          It's going to get to the point soon where MI5/6 won't be warning about not picking up random thumb drives - they'll be warning about NHS dossiers being picked up on trains - if the hardcopy doesn't give you Haemorrhagic fever, the dvd will be riddled so badly with malware that if you play it backwards it'll beg to be put out of its misery.

          Try to understand. The NHS has been underfunded since it was a gleam in Bevins beady little socialist eye - and it wasn't a bad little gleam as gleams go - but it's now little more than a rotting corpse which is only struggling on because no one has noticed it died around the time Dave Mellor was going back to basics (doggy style). It is, in the words of the great John Cleese "A dead parrot, it 'as ceased to exist" and it's not "just sleeping". It's been forced to live with the dregs of everything for so long it's just withered completely. It's only managing to limp along because like my aunts geriatric old Labrador it's just in the habit of breathing, crapping and smacking into things headfirst (usually in this case, data breaches).

          The truly scary part is there's nothing to replace it and all that's being done is propaganda, half hearted "cash injections" and gormless platitudes delivered by the Z list cretin du jour. A real current favourite being Stacey "the pedo GPS" Dooley (MBE would you believe?!!) - a woman who really needs to investigate an air embolism, personally. "Hmm, here's a thought, let's do a documentary to tell every. Single. Kiddiefiddler. On. The. Frigging. Planet. Where to go next". Or even better "let's put Kurdish female fighters at risk, looking after some dappy Irish chick, for feminism bro". I'd rather have Drs Crippen & Shipman ably assisted by Allitt & that nice porter called Manson treat me than be within range of that blonde idiot - in a hospital no less.. Unless being "in range" involves a Moisin Nagant and a slipper clip of Tungsten hollow points.. "in like a penny - out like a pizza (TM)".

          1. Anonymous Coward
            Anonymous Coward

            Re: "unreserved apologies"

            TLDR + you come across as a right wing loon.

            You do realise it wasn’t the NHS at fault here don’t you?

        2. Anonymous Coward
          Anonymous Coward

          Re: "unreserved apologies"

          Why fine the NHS? It was TPP who fucked up. A private company. They should pay compensation to the people involved and to the NHS who are now having to spend a shit load of money to clean all of this up.

          1. Jemma Silver badge

            Re: "unreserved apologies"

            Firstly the NHS NOT TPP told me I could opt out of this crap. DESPITE the fact they are NOT allowed, by law, to share my data, the Police can't share my data and neither can DWP without voice or text verification from ME.

            NHS communicated that information to me and I told the NHS that under no circumstances was my information to be shared with anyone ANYWHERE unless I specifically state otherwise, personally, myself, me.

            It now turns out that because the NHS hired their usual bunch of feckless cretins that this information has not been properly conveyed, coded, recorded (whatever) and my information may or may not be out in the public domain which is exactly the OPPOSITE of what I asked the No Hope Service to do via TPP - whom the NHS hired.

            Under British law the NHS is supplying a service to me & everyone else (for a given value of service, so far something along the lines of dev_not_quite_null) and TPP are contracted to the NHS. So here's my understanding of how this goes.

            I get to rant my fucking head off at the No Hope Service and they get to beg forgiveness on their knees and pay me MAJOR compensation if my details have been, effectively, leaked to every pointy haired marketing gimp this side of the Kuiper Belt.. Not to mention this is, in my case, illegal under UK law.

            What happens next is the lawyers get to look at the contract between NHS and TPP - and *hopefully* for the NHS there is a clause somewhere that says - "In the event we screw the pooch worse than the average Trump voter, and the NHS have to pay compensation, we are responsible for the damages (if within the product we supplied) and are liable to pay back the amount of the compensation to the NHS, in full". Note I said "hopefully".

            If TPP manage to get out of that clause, or if there never was one, or, more likely, the NHS lawyers are the modern equivalent of the YTS girl off monkey dust - the NHS are liable to me because they are providing *me* with a service and all the bell(end)s and whistles that implies - including respecting my wishes for the disposal/sharing and propagation of my data and details thereof.

            I think as I said, the NHS was a great idea, but then so was the Austin landcrab, the Chrysler Airflow and democracy - they all failed to account for the fact humans in general are the stupidest intelligent lifeform known to intelligentkind.

            1. Anonymous Coward
              Anonymous Coward

              Re: "unreserved apologies"

              Read again, not in fact in the public domain. Possibly used for purposes you opted out of (and which almost certainly cause no actual harm to you, under other circumstances a clinical audit might even be possible under one of the lawful bases that doesn't allow opt out), but not in the public domain.

              1. Aitor 1 Silver badge

                Re: "unreserved apologies"

                Clinical audit etc == sold.

                1. Cav

                  Re: "unreserved apologies"

                  Wrong, clinical audit is carried out by CCGs, NICE and the NHS Counter Fraud Authority etc. Do you not want care commissioning bodies to confirm that GPs really are carrying out 200 minor operations per day, or that one of the patients in your area really did receive care in the Outer Hebrides? Shouldn't we check that a particular surgeon has a higher patient mortality rate or that particular treatments\medications actually work when we pay for them?

            2. Cav

              Re: "unreserved apologies"

              Well, there's the biggest load of tripe I'll read this week.

  4. This post has been deleted by its author

    1. Prst. V.Jeltz Silver badge
      Trollface

      Re: The Online Opt-Out Does Not Work Either

      maybe someones switched a couple of keys around on your keyboard

      1. This post has been deleted by its author

    2. Doctor Syntax Silver badge

      Re: The Online Opt-Out Does Not Work Either

      "I still do not see how they (UK authorities etc) can keep on failing at this simple stuff."

      I don't know about the authorities but in TPP's case I can see quite easily how they do that. A few weeks ago I reported here seeing a recruitment poster "Write code/solve problems/save lives No experience needed". It was recruiting for TPP.

      And TPP don't believe in providing first line of support for users; that's delegated to your GP's receptionist who is, of course, fully trained as first line IT support as well as being a receptionist.

      I read this report on the Beeb a few hours ago. Unlike el Reg they didn't say who was responsible at the top of the report but I'd guessed who it was before I got that far.

    3. Rob D.

      Re: The Online Opt-Out Does Not Work Either

      Since I'd opted out a couple of years back I thought I'd give it a try. Worked exactly as expected, retrieved my registered contact details (obfuscated on screen), sent a OTC to verify, then retrieved my current status (opted out) and gave the option to change. The UI itself is a bit weak but functionally it's fine when provided with the correct data that it can query on whatever back-end systems it uses.

      The process around it though is poor - there's a request at the top about "This is a new service - your feedback will help this service" but no way of providing feedback is offered. So I'd imagine the complaints process may be similarly broken. And the UI isn't exactly stellar (being able to enter -1 for day, month or year, there is no UI-based anti-scraping/anti-bot protection, for example), which also makes me a bit suspicious about the level of effort that has gone in to securing the back-end access when the front end is so basic.

    4. Mike 137

      Re: The Online Opt-Out Does Not Work Either

      It is unconstitutional and very possibly unlawful to provide only a single means of opting out, particularly an online means in the light of the govt's arrant incompetence at delivery.

      However, you can send the following form letter to your GP and it should prove binding:

      -----------------------------------------------------------------------

      [to practice administrator]

      I absolutely prohibit in perpetuity any sharing of my medical records with any person, legal entity or agency, except in the specific cases of [1] access to my records with my explicit consent or directly in my immediate vital interest if I am on the specific occasion unable to give consent, and exclusively for therapeutic purposes in support of treatment of a medical condition with which I present or [2] where required without the option by statute or order of the Court.

      For avoidance of doubt, this prohibition applies to any current or proposed scheme of medical records sharing envisaged or planned at the date of this letter and equally to any plan or scheme of medical records sharing to be conceived, invented or proposed at any time in the future.

      I request that your surgery take whatever necessary steps to ensure that this prohibition is properly registered with the relevant parties to ensure it is honoured, and that you inform me of the action you have taken and its result.

      -------------------------------------------------------------------------

    5. LucreLout Silver badge

      Re: The Online Opt-Out Does Not Work Either

      I still do not see how they (UK authorities etc) can keep on failing at this simple stuff.

      Because trite phrases such as "lessons will be learned" or "investing in public services" don't actually mean anything in the real world.

      You invest in things that pay you a fiscal return - you spend on things that you want/need that don't. Hence, the correct term was always "spending on public services" - there's no investing in them.

      Lessons, as they relate to public life, are only ever learned when heads have rolled, which, of course, they never do. Which is why nothing improves, and state ran/owned/influenced IT continues to be a joke, with a perfect track record of failure.

  5. Blockchain commentard Silver badge

    "TPP's SystmOne software". Well, if they can't even spell System properly, what hope have the patients got of a working system?

    1. no_handle_yet

      I use this crap to order repeat prescriptions and it always annoyed me that they couldn't spell it correctly. But I think I worked out why they did it and it turns out to be a monumental lack of imagination.

      systemone.com was registered back in 1995. So I assume that some naming council under the guidance of a steering committee at TPP, having spent 3 years on coming up with systemone as the name, then had to throw it back to an emergency focus group who only had six months to find an alternative. Then some genius realised that it kind of sounded the same if you dropped the "e" from system.

      It took me nearly an hour to press submit on this as I went over every single spelling dozens of times. There is nothing worse than taking the piss out of spelling mistakes, only to make even more of them yourself. Please go to town on me if you find any as I definitely deserve it.

      1. CrazyOldCatMan Silver badge

        Please go to town on me if you find any as I definitely deserve it.

        OK - that'll be a booking for two to see "Cats"[1] followed by a double room at the Savoy.

        I assume that you'll send me your credit card details..

        [1] Naturally

      2. Adrian Midgley 1

        Copied from Flickr, I assumed...

        Or Grindr

    2. hplasm Silver badge
      Coat

      "TPP's SystmOne software".

      It's pronounced - system moan.

      Working as designed

    3. J.G.Harston Silver badge

      It's 'cos it dates from the days is was SYSTMONE.EXE

  6. macjules Silver badge

    GDPR?

    More like "Generously Donating Patient Records to anyone who asks".

    1. monty75

      Re: GDPR?

      And probably a few who didn’t, too.

  7. Aladdin Sane Silver badge
    Mushroom

    For fuck's sake.

  8. Anonymous Coward
    Anonymous Coward

    Looks like it's working as intended to me.

  9. Dr Who

    Online Opt-Out

    To opt you out, the NHS first has to know what data it is holding on you. I will offer you even better odds than England losing on penalties that the NHS hasn't got the foggiest what data it holds on you, where it is, or what it is being used for.

  10. This post has been deleted by its author

  11. Gordon 10 Silver badge
    Flame

    Of course if the NHS Digital was interested in Privacy by Design...

    ...and it was an *Opt-In*, then this would not have happened. But because someone did a "think of the patients" argument it was an Opt-Out.

    If they were a bit more choosy about the Type 2 stuff I would be happy to not-Opt-Out. But since Google appear* to be in that category the NHS Digital can go forth and multiply (which by the Iron Law of Bureaucracy they will do anyway).

    *Actually we all know that Google are in a special category all of their own called "Here fill ya boots with all Our Data".

    1. Jemma Silver badge

      Re: Of course if the NHS Digital was interested in Privacy by Design...

      You lost them at the word "think"..

  12. Aodhhan Bronze badge

    No Apologies

    You don't owe the public an apology... you owe the public immediate suspension followed by sacking after an investigation.

    Since this has now become a trend (not that it wasn't before), those in leadership, policy writing and technical operations all need to be under fire and out of a job.

    What happened to the government? It used to be when you just sneezed out of place you'd get fired. Now you can't event get rid of someone who is outright negligent.

    Politicians... this is why you guys are being voted out in favor of someone with little experience (in being bribed, etc.). It doesn't matter which party you belong to, if you're part of the establishment, you probably should enjoy every last second while you can.

    1. CrazyOldCatMan Silver badge

      Re: No Apologies

      It used to be when you just sneezed out of place you'd get fired

      Nowadays it's more akin to "embarras the minister and you'll get fired"..

  13. Headley_Grange Silver badge

    In my experience with company ERP systems, the one bit of them (sometimes the only bit) that you can usually guarantee works is the fiscal bit of the finance module. The rest of the ERP - inventory management, order processing, customer/supplier data, CRM, etc. - is usually somewhere on the spectrum of "not used" thru "we manage most of it in Excel" to "sort of working but you need Ellen to tweak it at month end".

    The main reason for this is that no one is going to go to jail if Tesco gets 100 pallettes of baked beans instead of 10, but people can go to jail for getting the fiscal bit wrong, so they get it right, they spec it right, they test it right and they hand-crank the first few cycles in parallel, just to make sure, because no one likes using hairy soap.

    Maybe if data leaks were treated like H&S, where corporate and individual criminal responsibility is assigned and poor performance can result in losing your house and going to jail, then we'd see companies take it seriously.

    The downside might be that it could become expensive to process personal data - but I wouldn't necessarily see that as a problem.

    1. Doctor Syntax Silver badge

      Maybe if data leaks were treated like H&S, where corporate and individual criminal responsibility is assigned and poor performance can result in losing your house and going to jail, then we'd see companies take it seriously.

      From the Data Protection Act 2018:

      "198

      Liability of directors etc

      (1) Subsection (2) applies where—

      (a) an offence under this Act has been committed by a body corporate, and

      (b) it is proved to have been committed with the consent or connivance of

      or to be attributable to neglect on the part of—

      (i) a director, manager, secretary or similar officer of the body

      corporate, or

      (ii) a person who was purporting to act in such a capacity.

      (2) The director, manager, secretary, officer or person, as well as the body

      corporate, is guilty of the offence and liable to be proceeded against and

      punished accordingly."

      1. Headley_Grange Silver badge

        Thanks, Doc. I didn't realize that the act had individual responsibility - that's a good thing. I don't think that there's jail time, though.

      2. John Brown (no body) Silver badge

        "(i) a director, manager, secretary or similar officer of the body corporate, "

        And this is also the get out clause. It's always a rogue admin/dev/op whatever, but NEVER and "officer" of the company.

  14. steviebuk Silver badge

    Or could that be?

    "It added that TPP and NHS Digital would "ensure that testing and assurance of patient data extracts is enhanced" in future to prevent similar errors."

    To

    "Ensure that we actually test*"

    I suspect a new recruit has been hired and spotted it due to fresh eyes with nothing to lose. Others may have reported it before but been ignored by senior management. I've seen that before. Having reported an issue 3 months before at the NHS, then been given a bollocking 3 months later about said issue, until I pointed out the e-mails I sent 3 fucking months earlier at which point they backed down. Really I should of asked for an apology and then walked but I needed the money.

    *Obviously just jossing. I don't want to be sued.

  15. Whitter
    Unhappy

    "Coding error"

    Coding error yes.

    Also testing error.

    Potentially specification error.

    But let's blame the code monkey.

    1. Aladdin Sane Silver badge

      Re: "Coding error"

      3 years isn't a coding error, it's fucking negligence (and not by the poor code monkey).

    2. CrazyOldCatMan Silver badge

      Re: "Coding error"

      But let's blame the code monkey

      Well - of course. They get paid the least y'know. And we can't have anyone well-paid being held responsible can we?

      1. Aladdin Sane Silver badge

        Re: "Coding error"

        Shit rolls downhill.

  16. Doctor Syntax Silver badge

    "privacy of patient data is a key priority for TPP, and we continually make improvements to our system to ensure that patients have optimum control over information"

    Has anyone in this situation - other, maybe than Zuck - said that privacy isn't important?

  17. Adrian Midgley 1

    You notice the NHS England/NHS IT model of opting out is not the usual one of

    "If we don't have permission we won't acquire and hold the data"

    it is the model of

    "If you've requested we not have your permission, we'll acquire the data, and add a note that we are not allowed to use it".

    Then they failed to add the note, and used it.

    It is systemic. Or systmic, perhaps.

    1. John Brown (no body) Silver badge

      "If you've requested we not have your permission, we'll acquire the data, and add a note that we are not allowed to use it".

      To be fair, it's the data needed for patient care and clinical records. It's required to perform the service. The opt out is to allow them to use it for other things not specifically required to perform the service. Also, IIRC, it took a special exemption in the DPA and GDPR to allow it function as an opt out rather than the more usually required opt in.

      1. Anonymous Coward
        Anonymous Coward

        Indeed,

        "Nurse, can you confirm the patient's name and date of birth please?"

        "I'm sorry doctor, I can't do that because of data protection."

        "Ah, I see. Which kidney are we meant to be taking out?"

        "Sorry, data protection"

        "Uhum, can we at least bring the X-ray up?"

        "Sorry..."

        1. This post has been deleted by its author

        2. Adrian Midgley 1

          Nurse ...

          1) get it yourself, on your account, I'm nursing;

          2) I'll just ask Whitehall for the record.

          Notes about patients are mostly used where they are made.

          (And we don't go on the entry in the notes on which side we are operating on)

      2. Adrian Midgley 1

        To be fair, it doesn't need to leave the Practice

        or hospital.

        A federated model of providing answers when asked questions offers good function and better security.

        And fails more gracefully.

        I wrote one of these, and used others..

  18. iron Silver badge

    SystmOne software

    They can't even spell, why would you buy medical software from these people?

  19. heyrick Silver badge

    the opt-out information was not sent to NHS Digital

    There's your problem right there.

    Medical data must be opt IN. No exceptions. No bleeding heart stories about potential lives saved or medical breakthroughs etc. I bet not a one of you can tell who/what eventually accessed this private medical data and where it went/who else has copies/why. This sort of thing demonstrates exactly why opt OUT should not be permitted.

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: the opt-out information was not sent to NHS Digital

      No bleeding heart stories about potential lives saved or medical breakthroughs etc.

      Not potential, and not a "bleeding heart story" unfortunately, but stuff like this https://www.bbc.co.uk/news/uk-england-44547788

      Or, you know, in general: https://www.bbc.co.uk/news/health-44550913

  20. not_my_real_name

    Just blame the coder

    I'm sure the culprit really wanted to deliver a shody solution, there was no time or financial pressure whatsoever to deal with. I'm sure that the code in question was tested thoroughly by an independent reviewer and they also where under no pressure. I'm sure that when speaking out about the quality of delivery all of their concerns where taken on board and adequate resources where assigned to resolve issues. I am absolutely certain blame cannot be assigned to anyone in a management position..It's as usual all the coders fault.

    1. Chris Thomas

      Re: Just blame the coder

      Yet another cock up prompted me to think about this issue again. As with the previous versions I conclude that I am not able to trust the system to ensure my privacy. I have opted out of the previous versions but of course each new incarnation requires a new opt-out. So I popped to the digital "How to manage your choice online" (https://your-data-matters.service.nhs.uk/landingpage) page and attempted to view my choices but was met with a "verification failed" error.

      Has anyone made this work? Is there any intention to allow choice? There is a paper based alternative but it appears to require all sorts of proof of identity information. It is hard not to be cynical!

  21. Hans Blick

    ...shared with research companies and clinical audits

    So who are these research companies and clinical audits providers? I'd like to see a list of companies that TPP have shared the information with. GDPR makes a distinction between the data Controller and Processor in the relationship of data, typically we'd expect the NHS to be the data Controller and TPP as the data Processor... but I bet that TPP has registered as a Controller to decided the means and purpose of the data. Time to get the Subject Access Requests into them to find out who they've shared your data with - probably every insurance and pharmaceutical company out there paying silk road rates for your data!

    1. Cav

      Re: ...shared with research companies and clinical audits

      Clinical audits are carried out by other areas of the NHS. The Fraud Division and PCTs - or whatever they are called now.

  22. Anonymous Coward
    Anonymous Coward

    screw them...

    ... screw them all... class action against NHS and let them claim it off TPP for doing such a shitty job ...unless of course the project managers signed off on the bullshit without checks and testing and its just about the money shot... in which case fuck them too!

  23. x 7

    Second hand software........

    Well.........if the rumours are true, TPP SystmOne is based on code copied from the long-dead EMIS-PCS clinical system.

    Mistakes happen when you borrow things..............

    1. Adrian Midgley 1

      Re: Second hand software........

      An odd rumour.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019