2022-06-28

ICO and NHS

I have a short email address. Those that know, know, so not posting here.

Suffice to say it is of the form x@x.xx so is only 6 characters. It is 100% valid. I have used it for a couple of decades now - this is not new. I am not alone. [side note, I tried to sort x@xx email, which is not easy, and did not get off the ground, but some people have done this, and it is valid]

I registered to get access to on-line COVID passes with the NHS or is it NHS Digital, or what? To be honest it is not 100% clear. Privacy policies and the like should make this clear, but even now I am not sure. My MP believes it is Welsh government. The fact I am not 100% sure is part of the problem.

[update: https://access.login.nhs.uk/privacy says it is joint data controllers of the devolved (Welsh) administration and NHS Digital]

They would not allow me to register, so I created a temporary address (longer) and registered. Simple. I even have the whole domain rfc2822.uk for this purpose.

I then tried to change the email address to my normal x@x.xx email address, and their system would not accept it.

NHS expecting me to change my personal data to fit them

So I emailed their data controller requiring them, under my right of rectification under (UK) GDPR to correct my email address. They refused. Note the original (temporary) email is no longer valid, and hence meets the definition of not "accurate" personal information. Indeed, I do not even have the domain any more.

I wrote to ICO, and have exchanged several emails to ICO, and escalated and asked for review of the case.

Basically the ICO said: There is nothing in data protection legislation that prevents an organisation from having a system that has a minimum requirement for an email address.

This seems odd, as how can an organisation accurately record personal information if they do not accept a valid email address, i.e. they have a "minimum requirement" for what is "valid"?

This has gone on for some time, and I am not alone, there are others I know with similarly short email addresses that have issues with NHS (and other organisations). There are others I know with related issues on incorrect data validation at "sign up".

Just to be 100% clear, the NHS fully accept my email address is a valid email address, and have emailed me, to that email address, to say so, as have ICO.

I also asked ICO more generic questions about whether an email address is personal information, and if I can expect (require) an organisation to correct it when it is wrong. They confirmed that is the case, so I again wrote to NHS quoting them - no reply. What a surprise.

I have written to my MP as well, and asked them to chase, and they have written to NHS (Welsh Government).

Latest from ICO is "For clarification, as the NHS has not recorded your email address then we are unable to suggest that they are recording inaccurate information. 'Inaccurate' would apply to information that was recorded incorrectly. There is no suggestion that they have done this."

Seriously, I'm shocked. This has, all along, been about the NHS refusing to correct my email address. So I have explained, again, to the ICO, that the NHS have recorded my wrong email address and are refusing to enact my request under my right to rectification to correct it under UK GDPR.

We will see how it goes, but this is a matter that relates not just to email, but other things.

  • Organisations will insist someone has to meet some format for a name - a forename and surname (not all have this), a name with more than one letter (not all have this), etc.
  • Organisations will insist a UK mobile phone number has to start 07, and organisations will even blacklist some operators 07 mobile numbers as not valid mobile numbers!
  • Organisations routinely try to impose rules on email addresses.
  • I really expect organisations to have shit when it comes to recording gender, which is rather topical.

The law does not stop companies from having rules to take their service as long as not discriminating based on some protected criteria. They can refuse me because my email address is too short. IMHO this is wrong.

But once they have accepted a customer/client, perhaps with wrong, or temporary personal details, they do have to comply with GDPR and have to correct incorrect personal information. So it would be better if they accept the correct personal information in the first place. In seems to me that GDPR (or UK GDPR) has a flaw in not covering this properly for "sign up". People should not be able to use email address, mobile number, name, or gender, as a reason to refuse to accept a customer/client.

This is even more so when it is not some company, but an organisation like the NHS. I have an NHS presence, I have to, as a UK citizen, and they have data on me right now that is not "accurate". That needs fixing.

Update: 1st Jul: The ICO now seem to be suggesting that because the email address they recorded at the time was correct (accurate) that they do not have to correct it now that it has become inaccurate. This would suggest organisations do not have to update name, address, phone number, email address, well, any personal information they hold when it becomes inaccurate over time. That seems a stretch!

Update: Someone has suggested this is "the same on all GDS platforms", and that it is not fair for me to "bother" the NHS. I appreciate the NHS have a hard time, but if this is the case the all the NHS have to do is contact whoever maintains their platform for them, explain they have a legal requirement to correctly record personal data, so have 30 days to "fix" this, and the NHS will have done what they need. Instead the NHS have so far chosen to spend time arguing with me, and then updating their site to state that an email address has to be at least 7 characters (previously it accepted it but did not send the confirmation email so it did not work). At the end of the day, someone, somewhere, on some platform, just has to change a 7 to a 6 in some code (or better still, follow the RFC for validating email, which will be a simple regex or library). It is not a hard fix for whoever does it - if the layers of people above that, all the way to the NHS, simply tell them to do it.

24 comments:

  1. Not surprised. NHS is a permanently frustrating organisation.

    ReplyDelete
  2. It is not just NHS Wales as I live in England and have the same problem 😩

    ReplyDelete
  3. A UK mobile number has to start with 07.

    What makes you think it doesn't?

    ReplyDelete
    Replies
    1. I have a friend with a genuine mobile number that starts 01223. Also I have a landline that starts 01223 and can be sent texts (properly via BT), but if I try to enter it in any boxes for being texted things they refuse (apart from HMRC) because it doesn't start 07.

      Delete
  4. The rule is an 07 has to be a mobile, not that a mobile has to be an 07. Orange offered London numbers as mobile over 20 years ago.

    ReplyDelete
    Replies
    1. 070 numbers do not have to be mobile.

      Delete
  5. There are a lot of sites that whine about the mailbox part of addresses too. Over the years, various sites (but not the NHS) have rejected my email addresses' mailbox part for being too short (three letters: solved by using a plus email address), not having a dot in them (WTF, solved by setting one up), having dollar signs or plus signs in them (solved by *not* using a plus email address)... but all of that is much less annoying than their requiring you change your *domain*. WTF, NHS.

    ReplyDelete
  6. 07 doesn't have to be a mobile. 070 is for Personal Numbers (which can be forwarded to anywhere) and 076 is for Paging.

    ReplyDelete
    Replies
    1. I was over simplifying, most 07x blocks have to be mobile. My point was that mobiles don't have to be on 07 numbers - so insisting my mobile phone starts 07 is wrong.

      Delete
  7. I think the crux here is that they have recorded the email address you provided correctly. Whether it continued to work after you provided it is not their problem, provided what you emtered is what they recorded. The letter of the law doesnt require that they accept all valid email addresses (though doing so would be sensible in my view). Flogging a bit of a dead horse due to the latter point?

    ReplyDelete
    Replies
    1. Yes, they recorded what I entered. And now my email address has changed, and so what they are now recording is incorrect and the law says say that they have to hold accurate data. If the data is now inaccurate, which is the case, I have the right to rectification, to require that it is updated. This is no different to if I move house and change my address and someone has a record of my address. Or I change my name. Or I change my phone number.

      Delete
  8. My wife had a similar problem with NHS. The email she used is of the form x@xxxxxx.xxx. This was also classed as invalid so perhaps it is the bit before the @ that is upsetting them? She gave up and used a different address.
    Not much help, I know, but it shows that the web designer had never looked up the RFC to figure out how to check email formats.

    ReplyDelete
    Replies
    1. To be fair, said RFC *is* an absolute nightmare, and more or less nothing accepts all valid formats, e.g. I'm fairly sure this is a valid From: line (assuming it even comes out of the Blogger comment line properly, which I have no confidence in since I'm using angle brackets copiously):

      From: "Dr. Wombat Mumble." (really, "really", yes)

      Delete
    2. Ugh, totally fubared by the blogger comment form. No idea how to escape things.

      Delete
  9. The funniest one I saw was when somebody selected "What is your favourite colour?" as the secondary personal question, entered the answer "Red" and was then shown an error message complaining that the answer had to contain at least four letters.

    ReplyDelete
  10. Some organisations don't accept email addresses with more than one dot. To minimise spam, I use disposable email addresses typically of the form abc.20.xxxxx@xxxx.net where abc identifies the organisation concerned.

    I can therefore block any address that has been sold on to spammers and remonstrate with the offending company, e.g. the blocked address that I used for BT has now been spammed almost 1800 times.

    I found that I didn't get any responses from Southeast Water but when I alerted them they promptly corrected their system to allow two dots.

    ReplyDelete
  11. The NHS in England & Wales is the same organisation (different organisations and always have been in Scotland and NI) so I believe your MP is clueless.

    Your issue is purely with NHS England & Wales and not anything to do with any (very) limited devolution in healthcare to Wales.

    Not sure that progresses your issue at all but I don't believe the Welsh govt has anything to do with NHS records or "NHS Digital" - that's all ultimately controlled by the English/Westminster Department of Health & Social Care.

    Really your MP should know this, although I'm entirely unsurprised that he/she doesn't.

    ReplyDelete
    Replies
    1. No, just to be clear NHS England is legally seperate from NHS Wales / GIG Cymru and reports to the Welsh Health Minister (currently Eluned Morgan). BTW, my spouse is a senior manager with NHS England...

      Delete
    2. You really couldn’t be more wrong about this. Healthcare is entirely devolved in Wales, with NHS Wales being an entirely separate organisation with different practices, policies, and backend systems.

      This has largely been the case since 1969 when the organisation was split and NHS Wales moved under the Welsh Office. Since devolution, the differences have only become more profound.

      Delete
  12. My email address is of the form xxxx.xxxxx@xxxxxx.xxx and I have had web sites refuse it because it has a dot in the name to the left of the @. What an absolute joke. Fortunately I was able to take my business elsewhere.

    ReplyDelete
  13. I used to have a problem with x@xxxx.xxxxx.xx.xx - that was because they didn't recognise a single letter before the @. Fortunately, it was the part after the @ which was important, so I could legitimately give ny email address as anything@xxxx.xxxxx.xx.xx for thar company.

    ReplyDelete
  14. I suggest you register rfc5322.uk, which might be handy in future.

    ReplyDelete
  15. I recently had two "adult" websites refuse to accept my name@firstnamelastname.net email address which I have paid for since 2008 ish. Couldn't figure out why, but they were happy with an @gmail.com address.

    I also recently had a form which wouldn't accept my 01709 VoIP number as a mobile, but was quite happy to accept an 070 personal number.

    As for the NHS, I have only ever corresponded with them through Royal Mail. Not sure I'd trust them with email.

    ReplyDelete
  16. Just for the record: I'm more interested in the principle being sorted than actually having a go at the NHS. The fact the ICO have been totally incompetent is a joke. I'm happy to let the NHS off on this one (i.e. use a different email), providing it is my option because the ICO agree that legally, and on the record, that they do have to rectify my email if I ask. There are other organisations that are a pain when it comes to email and phone numbers that I would far rather pursue, and a quote from the ICO on his would make that simple.

    ReplyDelete

Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.

Fencing

Bit of fun... We usually put up some Christmas lights on the house - some fairy lights on the metal fencing at the front, but a pain as mean...