Written evidence submitted by medConfidential (OSB0010)
When an ‘online harm’ was helping people to exercise their rights under a government policy: medConfidential evidence to the Joint Committee on the draft Online Harms Bill
- medConfidential is a not-for-profit doing policy and public information work. During high profile scrutiny of a Government data project in the summer 2021, medConfidential’s domain was blacklisted under existing ‘online harms’ processes as a “scam” and harmful to visitors – e-mails or documents containing a link to our domain were blocked, including briefings we were sending to MPs and Peers via the official Parliament e-mail system.
- We hope our experience, whether seen as a cautionary tale or Whitehall playbook, proves useful in the Committee’s deliberations.
- During the summer of 2021, Committee members may have seen discussions in the media about the use of GP data – GPDPR, or “the GP data grab” – which is currently paused by the Government. medConfidential was one of a number of organisations attempting to improve the Government’s proposals, and was involved in raising public awareness of the rights that each person had. (And, for now, still has.)
- The official Government information pointed to three  different links on three different pages of the Health and Social Care Information Centre’s (NHS Digital) website, none of which linked to each other – and all of which were at best unclear, if not outright misleading. There was no simple process.
- Government made electronic copies of the necessary forms available for people to print, but if you didn’t have access to a printer – not forgetting that, at the time, libraries and similar facilities were all still closed – you were expected to call  NHS Digital and ask for them. Talking about the official process, Lord Bethell later told the House of Commons Health Select Committee that, “We have made it clear that we do not think it works as well as it should”.
- Since we are in the 21st Century, not to mention in the middle of a pandemic, people used the internet to find fair and accurate information, and to find the means or mechanisms to take the actions the Government had arranged  for people to be able to take if they wished to express their dissent.
- medConfidential hosted a single webpage providing the required information and forms which was linked to by almost every (non-government) organisation involved. We know many GP surgeries, for example, provided their patients with the link to our process page as it was written to be clear, simple, and accurate.
- medConfidential’s process was simple. If you had a printer, our site linked to PDFs of the forms to print out yourself. If you didn’t have a printer, all you had to do was e-mail or text us your address, and we would post you the forms you need for free, no questions asked. During the course of May, June and July we sent thousands of forms out, for free, no questions asked.
- We recognise that websites which require payment for forms that would otherwise be free should be restricted, but the work of not-for-profit organisations that offer public interest services for free are a different matter entirely.
- As in many policy debates where the Government feels it is “losing”, and largely because people were reading small print in official documents they didn’t properly understand rather than the press release, briefings from HMG officials were over-egged and sometimes over-excited.
- One such briefing resulted in a claim that – as an NGO which was willing to post forms to those who needed them, and because we ran that process on the basis of freely given donations  – medConfidential was “charging” for forms that the government made available for free.
- Of course, well-meaning citizens being wrong on the internet (which in this case included an aspiring YouTuber and employment law barrister repeating a Government briefing) is neither an offence, nor an online harm. The scope for people to be wrong on the internet is unlimited; this does not mean that such actions are harmful, but there can be very evident harm from overreactions, or the pursuit of secondary agendas, via ‘overblocking’ and the arbitrary broadening of well-intentioned measures that were originally intended to be applied quite narrowly.
- Mere hours after that briefing our domain name, medconfidential.org, was blacklisted across Google, Twitter, Facebook and Apple internet services as a “scam” and harmful to visitors. Effectively, any e-mail or document which contained a link to our domain was blocked, including briefings we were sending to MPs and Peers via the official Parliament e-mail system. (Had those Parliamentarians wished to forward those briefings on to staff, they would not have been able to do so.)
- This automated blocking may indeed have been harmful to the Government’s own policy intent – for, as the Government later conceded in the House of Lords, medConfidential’s concerns were legitimate and required addressing. The ease with which medConfidential.org was blocked shows how aspects of even the best-intended online safety processes can be abused by those with different agendas.
- medConfidential is fortunate enough to have the contacts to get such abuses reverted within hours, but they should simply not happen in the first place – and the current draft Online Safety Bill lacks both the transparency and safeguards necessary to protect the public from a Government that may have variable regard for integrity in political debate, or good governance.
- On a particular point of detail, whenever the GP data programme restarts, if – as we suspect may happen – there is another public outcry, nothing will prevent a recurrence then either. We note the current CEO of NHSX was formerly at DCMS and is aware of online harms; this example may therefore help provide insight into how these problematic powers can be used against those commenting on Government choices.
- A Government policy in trouble will be ‘harmful’ to the prospects of those responsible for its successful delivery. We recognise the importance of legitimate online safety, but what happens when publicly opposing a flawed Government initiative that undermines or removes citizens’ rights is treated as an ‘online harm’ under this Bill?
medConfidential is an independent non-partisan organisation campaigning for confidentiality and consent in health and social care, which seeks to ensure that every flow of data across and around the NHS and wider care system is consensual, safe, and transparent.
Founded in January 2013, medConfidential works with patients and medics, service users and care professionals; draws advice from a network of experts in the fields of health informatics, computer security, law / ethics and privacy; and believes there need be no conflict between good research, good ethics and good medical care.
 We do not propose specific solutions, however, Clause 33 (OFCOM’s practices to reflect government policy) and the lack of Parliamentary oversight are obviously relevant, and how decisions by Government or the regulator can be made transparently and challenged when mistakes are made.
 This process and programme was directed and led by DHSC – in particular its ‘tech vision’ unit, NHSx – and publicly fronted by the Health and Social Care Information Centre (NHS Digital).
 https://www.gov.uk/government/news/uk-unveils-post-brexit-global-data-plans-to-boost-growth-increase -trade-and-improve-healthcare
 One for non-GP data for yourself, one for GP data for a single person (possibly dependent), and one for non-GP data for dependent children. Expressing the consent choices for a family of four would therefore require two online opt-outs (both adults for themselves) and up to five paper forms – one for the two children’s ‘National Data Opt-outs’, and four NHS Digital ‘Type 1’ opt-out forms for the GP practice.
 If the Committee is considering the role of “fact check” services, we suggest they request NHS Digital provides a copy of all communications about its “fact check” of the National Data Opt-out and claims about the GPDPR programme; the evidence will show it was full of errors and misleading statements. Our general point here is that mitigations of online harms can and will be weaponised by those with power(s).
 By design.
 An e-mail option was added after medConfidential intervened with one of its own.
 Which proved difficult when the call centre was collapsing under the load of requests. Forms, including those requested by e-mail, were not being sent out in a timely fashion and a significant backlog remained even after the programme was paused.
 Q64, https://committees.parliament.uk/oralevidence/2615/pdf/
 Not necessarily well...
 Detailed at https://medconfidential.org/how-to-opt-out/
 The PDF metadata of the official National Data Opt-out form for children on the NHS website shows it was in fact medConfidential who had made it more accessible – so that form fields could be filled in digitally, etc. We provided a copy to NHS Digital, who chose to use it as the official version.
 Instead, Google charges them more for higher profile adverts.
 Who wished to help others without access to a working printer exercise their rights
 [Hi to all the Committee staff members reading this! We know how important your efforts are to keeping Committee work going.]
 If at some point in the future, some other NGO happens to be reading this and is having a similar problem, please do get in touch and we will help where we can.
 Undertakings have now been given; it remains to be seen whether or how these concerns will be addressed: https://medconfidential.org/2021/medconfidential-bulletin-23rd-july-2021/