The UK Health Secretary, Matt Hancock, has granted access to NHS data to the GHCQ raising privacy concerns. The GHCQ has now the authority to force the NHS to disclose any information related to the security of any networks and information systems held by or on behalf of the NHS or a public health body. The action to grant the government agency access to NHS data raises questions on the privacy of the health data.
Reasons for granting the GCHQ access to NHS data
The Health Secretary granted GHCQ access to NHS data to enable the National Cyber Security Centre (NCSC) to check the security of NHS systems. The government claims the exercise is as an ongoing campaign to protect the systems during the coronavirus pandemic. According to the statement released, the mandate applies to any system belonging to or being operated by the NHS or a public health body. The system must be supporting the provision of NHS services or public health services intended to address coronavirus. The Computer Misuse Act of 1990 prevented the GHCQ from having those powers.
The NHS has been a target of various cybercriminal activities including attacks by ransomware operators. A cyber-attack by WannaCry disrupted the operations of Britain’s public health body in 2017 by encrypting NHS data.
The access to critical NHS data by non-clinical staff working remotely because of the current crisis also creates an opportunity for more attacks. Additionally, there are various changes being implemented on the system at the moment to allow smooth operations under the new working arrangement. Proper measures are likely ignored during the process, further exposing the system the possibility of more attacks.
Privacy concerns raised
Through its spokesperson, the NCSC allayed privacy concerns saying that it was not interested in patient’s data and has no plans to authorize the access of NHS data in the future. However, many remain doubtful about whether we can trust governments to keep such promises.
Irene Ng, CEO of Dataswift, voiced her skepticism on whether we can trust Governments, and the NHS, with our health data. She said that privacy debates often conflate trust with privacy. Under such circumstances, governments downplay privacy concerns by invoking trust, which cannot be guaranteed.
Various academics have also voiced privacy concerns over the use of NHSX contact tracing app used in the fight against coronavirus. Over 192 UK academics signed a joint statement saying that the benefits of digital solutions must be academically analyzed to decide on whether the dangers posed by such solutions outweigh their benefits.
There were reports that the government could deanonymize the IDs of the infected people as well as all their contacts. The government had assured people that such activities were impossible due to the nature of the technology.
The academics have also asked the government to publicly commit that there will be no database to allow the de-anonymization of the app data to dispel any privacy concerns. They also requested the NHSX to come up with a process of phasing out the app after the pandemic is over to avoid the misuse of citizens’ data. The European Union has indicated that such contact tracing apps must adhere to the GDPR principles to ensure privacy concerns are addressed. Although Britain is not a member of the EU, such rules still apply.
There are also privacy concerns on whether the new mandate would not result in mission creep, allowing the government more access over the NHS data than initially planned.
The Health Service Journal indicated the mandate gave the GCHQ additional levels of access to the NHS system. Such levels of privilege make it easy for the intelligence unit to access the NHS data. There are no guarantees that the agency would not abuse the elevated levels of access to accomplish its surveillance needs.
Across the globe, many governments are increasing their powers, raising fears on whether they will relinquish the control after the end of the pandemic.