Letter to Somerset Trust
The letter below has been sent to Somerset NHS trust in respect of Sensyne. Readers of Leveller.Live will know we broke the story of how the Trust promised patient data in return for shares in Sensyne. Today those shares are all but worthless. Sensyne is about to lose its listing on the London AIM market.
That is the context.
The letter is sent from MedConfidential. This is a pressure group founded in 2013 as a direct response to radical changes in the way two bodies, the NHS Commissioning Board (‘NHS England’) and the Health and Social Care Information Centre (HSCIC), planned to extract and pass on patients’ medical information from NHS health record systems in England.
Their letter highlights many of the same concerns we have repeatedly raised with Somerset NHS Trust since they entered into their arrangement with Sensyne. It also encapsulates many of the risks attached to the collapse of the Sensyne share price and the refinancing that it is now forced to undertake. The letter follows:
Dear NHS Trusts and others,
We understand that following an agreement reached with investors and announced on 19 April 2022 to provide access for Senysne to additional capital, a condition of the additional financing will be the delisting of Sensyne from AIM, subject to the required approval of shareholders, including NHS Trusts.
As shareholders in Sensyne Health plc, whose shares are now worth less than 1% of the value ascribed to them at the time your partnership with Sensyne was announced, you have the option of voting next month to have your stake wiped out, or to terminate your strategic research agreement(s) and/or data sharing agreement(s) with Sensyne.
medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals, campaigning for confidentiality, consent and appropriate safeguards to be applied to the use of health and social care records. We are writing to you as an interested party, as a matter of urgency in the public interest regarding
these events, having sought advice from specialist data protection lawyers which has caused us grave concern about these matters.
Right of Termination
While not all of the contracts NHS Trusts signed with Sensyne have been published, information in the public domain makes it clear that your agreements with Sensyne contain termination clauses which enable the agreements to be terminated in the event of a material breach of any term and/or under a change of control, which will be triggered by these events.
Furthermore, on termination, the NHS Trusts are likely to have a contractual right under the terms of any data processing agreement to require the destruction or return of data (as directed by the NHS Trusts) and deletion of all existing copies.
Given the events that have now taken place, and given that continuing the relationship will make your patients guinea-pigs for business models as yet unknown and undefined, the responsible course of action for now is to terminate your agreements and require the return and/or deletion of the existing data held by Sensyne.
You paid with your patients’ data in a deal which no longer has value, on the promise of returns to the NHS that have not materialised. As trustees of your patients’ data, the most trustworthy move is to withdraw their data and hand back the mess Sensyne’s former management has left you.
On the matter of the data itself, whether data is ‘anonymous’ data (which is not caught within the scope of data protection law, such as the UK GDPR) or, instead, personal data which is caught by the UK GDPR, is not a matter of contract but of fact and of law. This is clear from, or explicitly set out in the Data Protection Act 2018 and UK GDPR; the ICO’s latest guidance and is explained in detail on pages 83-88 of the Goldacre Review.
It is clear from information available in the public domain, such as Data Protection Impact Assessments and descriptions of the datasets requested by Sensyne, that data which passed to Sensyne allows linkage, i.e. it is pseudonymised data, and therefore identifiable personal data. Crucially, it is not anonymous data – notwithstanding what labels have been applied to it in the contractual documentation.
This is clear from the leading legal authorities on the matter, including the Court of Justice of the European Union (CJEU)’s decision in Breyer v Germany C-582/14  1 WLR 1569 and the Court of Appeal in R(Bridges) v Chief Constable of South Wales Police  1 WLR 2020.
Risks to the NHS from the Pseudonymised Data
Therefore, presuming that the NHS Trusts have continued to labour under this false assumption, there is a real risk of widespread and fundamental non-compliance with the UK GDPR and Data Protection Act 2018 across all NHS Trusts that have transferred, or intend to transfer, patient data to Sensyne.
Furthermore, the NHS Trusts risk being exposed to the future costs of claims and data subject rights requests from patients whose sensitive personal data has formed part of the dataset transferred to Sensyne, with inadequate safeguards and under a misapprehension that it is anonymised. There are also the risks of an investigation by the Information Commissioner’s Office (ICO) and exposure to enforcement action, including the risk of fines up to a maximum of £17.5 million or 4% of the total annual worldwide turnover of the NHS Trust in the preceding
financial year, whichever is higher.
Finally, you should note that for any personal data you transferred in your capacity as a data controller in the way Sensyne requested – the liability for your breaches of data protection law will rest with you and are not limited by anything contained in your agreements. Furthermore, Sensyne may have also limited, capped or even shifted all of its liability onto you in the existing contract that you accepted and signed. For this reason alone, termination and
renegotiation of terms on this basis would be prudent.
As set out in more detail above, the promises you were given by Sensyne’s former management now have no more value than the shares you hold, and continuing with the contracts you signed exposes you and the wider NHS to significant, uncompensated reputational and other risks.
We therefore ask you to exercise your rights to terminate your contracts with Sensyne Health plc, and to ensure that Sensyne deletes the data it has already received from you on the basis that those agreements have ended.
Modern open ways of working with national and/or regional Trusted Research Environments will in any case be safer, more cost effective and likely to deliver results everyone can use than insecure, uncertain deals with profit-seeking entities.
Phil Booth, medConfidential
Sam Smith, medConfidential