The press are wrong about a ‘legislation change’ to reveal trans peoples medical data…and obscuring a real potential danger

I will level with you, I put out a version of this that got one key detail really wrong which spiralled into several pieces of inaccurate and just plain wrong information. That’s on me, but this is the update and all the information here is actually right. You can read my explainopology here.

The Times and the Daily Mail’s shoddy reporting is raising concern in the community, but their reports are making trans people worry about the wrong thing.

Both ‘outlets’ have published reports claiming that the Minister for Health and Social Care Sajid Javid is seeking to change the law to allow the Cass Review (an independent review of trans youth’s healthcare outcomes and practices) access to the private medical data of every patient who was ever referred to the Gender Identity Development Service (GIDS). The clinic, commonly referred to as the Tavistock clinic in the trans community, is the only NHS service aimed at meeting the needs of transgender youths.

The number of patient records GIDS hold is estimated to be roughly 9000.

Sajid Javid, the health secretary, will today begin the process of changing of changing the law to allow researchers to study data on about 9,000 people to find out if they suffered health problems as a result of their treatment. At present this is prevented by medical confidentiality laws and rules that mean people are given a new NHS number when they legally change their gender.
The Times (source)
Sajid Javid will today start to change the law to allow researchers to study data on around 9,000 adolescents given counselling or drugs for the condition.

The Health Secretary wants to know whether the treatment improves trans children's lives or leads to further problems or regret.


Currently, the data is protected by medical confidentiality laws that mean people are given a new NHS number when they legally change their gender.
The Daily Mail (Source)

The way these reports present this story will leave readers with the impression that Javid is seeking to change patient confidentially rules and laws to allow the Cass Review access to thousands of trans people’s private medical data and that data is currently protected. This is correct. But they don’t really explain what this is or what it actually means.

The law that is being ‘changed’ is the Gender Recognition Act in a way that will allow the medical records to be accessed by the Cass Review.

No, this is not some kind of dark Gender Recognition Act reform designed to distribute our files wherever Savid Javid wants. What he is planning to do is use a clause in a subsection of the Gender Recognition Act (Subsection 22 (5)) that gives him the power to de-criminalise disclosing information that could reveal that the holder of a Gender Recognition Certificate holds one.

The anti-disclosure provision in the Gender Recognition Act exists to protect the holder of the certificate from being outed basically. If someone reveals that a holder of a Gender Recognition Certificate is holding one, they are actually committing a criminal offence. The idea of the Gender Recognition Certificate is to replace the sex marker on your birth certificate so people will read it as if you are cisgender. Your trans status is your private business for you to disclose…nothing else should.

This is an anti-outing measure with criminal consequences for those who break it.

So this should mean that this only effects those with a Gender Recognition certificate, right? If the Gender Recognition Act is the thing being used to to change this, surely this will only effect the medical reports of people who have actually used it.

Technically yes, but the problem is that the medical records Javid is trying to unlock and provide for the Cass review are all in one place: GIDS.

And they have no idea which medical report is referring to someone with a Gender Recognition Certificate. Because they have no idea which out of those roughly 9000 reports has one.

They don’t even know how many have Gender Recognition Certificate holders there are in the roughly 9000. It could be anything from one to 754.

Who will be affected?
Those affected by this change will primarily consist of those who were patients referred to the GIDS clinic between 2009 and 2020, and have since gone on to apply for or be issued with a GRC. Information is not held on which patients have gone on to apply for a GRC. As such we are not able to set out the exact number of people that will be directly affected by this change. However, we have been able to calculate from published statistics[1] that as of 2021, 754 people born from 1990 onwards have been issued with Gender Recognition Certificates. As such, this represents the maximum number of people who could have been through the GIDS service between 2009 and 2020 and have gone on to be issued with a GRC that we hold data on. This is subsequently our best estimate for the maximum number of people who could be directly affected by this change.
Taken from the Impact Assessment (Link)

This is what is stopping the Cass Review from analysing these medical records. Let me explain.

Imagine if the Cass Review had 9000 toffees. Delicious, lovely toffees. Now imagine that between 1 and 754 of those toffees were poisoned.

The Cass Review cannot risk eating any of those toffees because they could die.

Now replace toffees with the roughly 9000 medical records of every single patient GIDS has ever had. And replace the poison with the anti-disclosure provisions in the Gender Recognition Act.

They pick the wrong one, they are committing a criminal offence. So it could be argued that the medical reports of the holders of Gender Recognition Certificates are protecting the whole bundle of roughly 9000 medical reports.

But now imagine that Sajid Javid want’s the Cass Review to eat all those toffees. He needs them to (maybe he has some fetish I don’t know the name of). So what does he do?

He pulls some poison out of the toffee and creates a poison antidote. He gives it to the Cass Review and they are now protected so they can have any toffees they like.

Now there is nothing stopping the Cass Review from eating all them toffees. Sajid Javid has done this. Let me explain.

Javid intends to relax this provision so ‘authorised persons’ (in this case specific people related to the Cass Review) will not be breaking the law if they disclose the existence of a person’s Gender Recognition Certificate . He is able to do this due to powers granted to him in the Gender Recognition Act that allow him to change the rules and allow certain disclosures without risk of criminal prosecution (under Subsection 22-5).

This is him making that poison antidote. And the roughly 9000 medical records are not longer protected. The Cass Review can take them.

This could be described as a change of the Gender Recognition Act but it is very misleading to suggest that this is a change in the law as most would understand it. It was clearly framed this way to make this sound incredibly exciting and potentially terrifying to trans people who will share the articles whilst garnering plenty of engagement and discussion (whilst possibly delighting anti-trans activists).

But by doing what these outlets always do, by warping the facts to make the most sensational story they could, all they did was hide the real danger of what Javid is doing.

This would allow the ‘authorised persons’ access to the full medical records of EVERY GIDS patients, past or present, Gender Recognition Certificate or not.

This means that the most detailed information that a trans child can share will be handed over to some people who are allowed to disclose to each other (and themselves) the details of everyone who has ever been through GIDS.

This relaxing of the rules around disclosures is scheduled to begin on the 28th of July of this year and will be allowable for five years as according to Javid this is the maximum amount of time expected for the research to be completed.

Here is where the danger is.

These ‘authorised persons’ may well live up to professional standards and protect the data well. That would be their responsibility but the problem is the impact report states that there are risks.

In Javid’s directive it provides a list of these ‘authorised persons’ without specifically naming who these people are.

A screen cap of the list of 'authorised persons' taken from the statutory instrument that allows Javid to change the disclosure protections in the Gender Recognition Act

The text:

Article 2(2)
SCHEDULE
Authorised persons
A person employed by Cumbria, Northumberland, Tyne and Wear NHS Foundation Trust

A person employed by Devon Partnership NHS Trust

A person employed by the Health and Social Care Information Centre

A person authorised in writing by the Health and Social Care Information Centre to act on its behalf in order to facilitate or assist relevant research

A person employed by Leeds and York Partnership NHS Foundation Trust

A person employed by Leeds Teaching Hospitals NHS Trust

A person employed by Northamptonshire Healthcare NHS Foundation Trust

A person employed by Nottinghamshire Healthcare NHS Foundation Trust

A person employed by Sheffield Health and Social Care NHS Foundation Trust

A person employed by Tavistock and Portman NHS Foundation Trust

A person employed by University of York

A person authorised in writing by the University of York to act on its behalf in order to facilitate, assist or undertake relevant research

A person employed by University College London Hospitals NHS Foundation Trust
Taken from the statutory instrument that allows Javid to change the disclosure protections provision in the Gender Recognition Act (Link)

You will notice that these are not named people. Ironically, if you tried a Freedom of Information request to find out who these people are…you may be rejected because that would be an invasion of privacy.

There is not a gif that exists on the internet that can truly reflect the irony of that. (But seriously, try those Freedom of Information requests anyway).

These unnamed people will not only get access to all of the medical reports of those without a Gender Recognition Certificate…but all of those who do have one. This act will out those trans people who believe they are protected to people whose names they do not know. These people may be researchers, they may be the people in charge of anonymising all the medical reports.

But at some point, between 1 and 754 trans adults out there are going to have the knowledge of the existence of their Gender Recognition Certificate revealed to hopefully a total strange…hopefully somebody they don’t actually know.

What if one of those people knows the trans person whose file they are reading?

Now that person knows their secret. That person has something over them

And that is the soap opera nightmare scenario…

The nightmare nightmare scenario is someone leaving a USB key on a bus.

The Impact Assessment of Javid’s planned action states that there is a chance of some kind of data breach where the data could be seen that someone who isn’t the authorised persons.

There is a hypothetical risk that data breaches may mean that personal information is exposed to those outside the research programme through the course of its work. However, this risk is considered small and is limited through the significant safeguards in place – for instance the data will be stored on secure servers, pseudonymised wherever possible, encrypted and accessible only by authorised persons.
Taken from the Impact Assessment (Link)

When trans people apply for and gain a Gender Recognition Certificate they are lead to believe that their trans status and records of their previous legal gender/sex will be protected. They believe they are protected from being ‘outed’.

That will no longer be true because their status is going to be revealed to people and they have no say in the matter. Sajid Javid is the one with the power and I don’t think it is entirely absurd to think that this isn’t worth the risk to potentially hundreds of trans people.

Research into the best way to meet the needs of transgender youths should be welcomed by everyone. We really need it to be honest. There is a lot of research out there that shows helping young people transition, if they require it, leads to better healthcare outcomes. But should the Cass Review’s researchers and other anonymous ‘authorised persons’ have a right to violate the privacy of those who have gone through the horrific process of getting a Gender Recognition Certificate? Who thinks that the Gender Recognition Act shouldn’t protect trans people’s right to disclose their trans status entirely at their discretion? That the decision should be yours?

Sajid Javid believes so.

And here is the kicker.

Javid did not announce his plans on his personal website, his Facebook or his Instagram.

He announced them in a statement to Parliament, and on Twitter where he shared the Times article.

The Times, an outlet you can be sure will not ever factor how being outed against your will to people you do not know can make a trans person feel.

Screen cap of a Tweet by Sajid Javid

Tweet text:

Today I proposed a change in law so that 
@Hilary_Cass
 independent review into childhood gender dysphoria can access historical records. 

It’s vital the review is rooted in the highest quality evidence.

Underneath the tweet text is a link to the Times article with the headline "Gender change data to be scrutinised"
(Links – Original Archived)

So how can someone’s private medical report be shared like this in general? Not just those with protections in specific niche legislation. Doesn’t the NHS have to get consent from the person whose medical data they are sharing?

Yes. And there is a good chance you already have because it is an assumed opt in. If you do not actively opt out, your medical records can be used in research and planning.

Research and planning, like the Cass Review intends to do.

It is probable that the vast majority of those roughly 9000 people whose medical reports may be used in this research have already given their consent by not knowing they had to do anything to withdraw that consent.

There is a solution that has not been sought out by Sajid Javid or the Cass Review. They probably didn’t think of this because this option would be expensive but when it comes to protecting the privacy of trans youths and trans adults with or without Gender Recognition Certificates, no cost can be too high.

If the data is desperately required.

Why not ask us? Give those current or former patients a call and ask them!

Ask them for permission to use their medical records…or….OR….ask them how they feel? If they are okay? Just maybe…talk to them directly instead of going off the famously terrible filing of GIDS.

Maybe you could just talk to us and listen to us?

Wouldn’t that reduce the “hypothetical” dangers to practically nothing?

But when you are trans dealing with healthcare issues…you don’t get asked when it comes to boundaries. Why should that be any different when it comes to the private medical records of children in pain?

If you have been a patient of GIDS between 2009 and 2020 and also have applied for and received a Gender Recognition Certificate, please get in touch with us.