Today I went to register for a new GP practice. In order to register I was told that I needed a photo ID ✅, two utility bills with my name and address on ✅ and my NHS number ❎. I have never needed to know my NHS number before, but I was told it was the policy of this surgery that people provide them when they register so that they can verify the individual’s identity. I was surprised and a bit irritated, because my passport and utility bills should be sufficient, but it seemed non-negotiable. I was told if I rang my old GP surgery they would provide me with my NHS number 🤷♀️.
I dutifully rang my old GP surgery with my request. The receptionist who answered told me that I needed to put my request in writing as they cannot give out personal information over the phone. I pressed her on this and she explained it was for “data protection” as she could not verify my identity over the telephone (“you could be anyone”). I was told that if I sent an email, they would reply with my NHS number. The rest of the conversation went roughly like this:
Me: “But how can you verify my identity over email?”
🤔 In the pause before she replied, I could hear the realisation sink in
Her “…well… do you have your name in your email address?”
Me: “I do, but anyone can create an email with somebody’s name in”
Her: “exactly and it’s the same with the phone” 🤦♀️
Me: “exactly!”
Her: “yes but we’re not supposed to give personal information over the phone” 😔
And so, we got to the crux of the matter. “Supposed”. Policies and training that are not fit for purpose. People being told what not to do, without training them in risk and why they should not do certain things. A policy that does not account for practicalities, that has been determined without consultation with the personnel who have to enact it; someone being told what they cannot do without being advised what they can do.
In trying to receive healthcare today, the policies of two GP surgeries acted as a blocker to me doing so. According to the NHS website, I should not have needed to know my NHS number to register with a new surgery, and my old practice should have told me what my number is. The two receptionists I communicated with were not malicious, they did not want to get in my way or to be interrogated about their data privacy and security policies. They were just trying to do their jobs, as much as I was just trying to see a doctor. Too often data security and privacy approaches undermine people, when they should empower them.
In the end, I did email the surgery and ask for my NHS number, as well as offering free consultation and training. I have not heard back, most likely because the recipient is paralysed over whether they can share my number via email or any means. I doubt they will take up the offer of free help, but I hope they do. Meanwhile, I went to a walk-in centre and was treated by a brilliant doctor who also gave me my NHS number. I gave my name, address and date of birth when I made the appointment, but at no point did I have to do anything further to verify my identity.
We need to push harder to make security and privacy more fit-for-purpose and less ridiculous.