QR codes are brilliant. They're a simple way to allow users to easily and quickly go to the right URl - no matter how complex. No more worrying about typing in long addresses or figuring out if that's a letter O or the number O. Scan and go!
The best thing about QR codes is that they're free. It doesn't cost any money to generate one. They're an open standard with no middle-men. Users can go direct to your site!
Except… Some people want to insert themselves into your conversation. Sometimes it is for malicious reasons, sometimes it is greed for user data, and sometimes it is just incompetence.
Let's take this example - a health centre wants people to register. Scan the QR and get started. Fab!
Photo shamelessly stolen from a LinkedIn contact.
But what happens when you scan the QR code? Rather than taking you directly to an authoritative and trusted NHS.UK domain name, it sends you through https://register-with-gp.ht1.uk/.
Who on earth are HT1.UK?
According to their website, they're an automation company who are "on a mission to make the NHS the most advanced healthcare system in the world."
Good for them. But what information are they collecting about users who traverse through their QR codes? If you take a look at their privacy policy you won't find anything specific. Never mind, let's email their friendly privacy team. What's their email address?
Of course, emailing that gets you back this error:
Emoji! How fun!!
So I emailed the new address to see what information they were collecting. Their response wasn't particularly informative.
because Healthtech-1 is a processor of information and the GP practice is the data controller any requests about how your data is handled should be made to the GP practice who can inform you of the information you requested.
…
I can confirm that there is no information stored about users who scan the QR codes and no cookies placed.
But, of course, users have no way of verifying what this company is storing about them. There's simply no reason to use an untrusted 3rd party like this to provide either a QR code or an intermediary website.
Why this is a problem
Trust is everything. People are constantly being scammed. One of the great things that GOV.UK did was to say "This here is our trusted brand. If you don't see GOV.UK in the URl bar - don't trust it!"
The NHS should be doing the same. Every hospital, surgery, and clinic should have an NHS.UK domain name. When a user sees a link to a healthcare service which doesn't go through NHS.UK, they should feel suspicious and not click on it.
There is no way as a regular user to know that HT1.UK is a trusted domain. What about HT1.biz? HT2.UK? NHS.info.ly? What happens if HT1 go bust or have their domain name hijacked?
The NHS must stop the proliferation of these 3rd party domain names. They need to reinforce users' understanding that NHS.UK is the only trusted domain name for official NHS services.
I'm sure HT1.UK aren't doing anything nefarious with the data of people who visit their QR codes. I'm sure they're not inserting tracking cookies or selling my data. But I shouldn't have to be sure. All users should be pointed directly to an NHS.UK domain without having to risk whether their details are going via a dodgy site.
Here endeth the rant.
8 thoughts on “The NHS shouldn't outsource its QR codes”
@Edent Good rant
| Reply to original comment on dataare.cool
Mike
I'm aware you've worked in this area so you are much better informed about it than me. As someone whose only interaction with the NHS is as a patient I wonder, is Waterloo Health Centre actually part of the NHS? I.e. is it run by the NHS or is it just a place which provides NHS services? Their website https://www.waterloohealth.co.uk/ is not on an NHS domain. The website for my GP practice is also uses a .co.uk domain. Both websites prominently use the NHS logo but l, as I understand it, GP practices are not run by the NHS, they are independent businesses. My GP doesn't give me a bill because they are part of a practice which provides care for free to the patient under a contract with the NHS. So is the use of non NHS domains for NHS related things at least in part being done by companies which are not part of the NHS but just provide NHS services?
That is my understanding of how GPS work too. Our GP is a partnership, for instance. But they still have a www.*.nhs.uk Web address. (dropping the www still resolves, but gives me a cloudflare error, which is a whole other subject for a rant...)
It's not obvious why that QR code points to the URI that it does. You can register with this health centre via this service that's on the nhs.uk TLD: gp-registration.nhs.uk/G85136/gpreg...
| Reply to original comment on bsky.app
@Edent It boils down to a lot of people in management positions don't understand that organisations should own their own domain name and use it (AND ONLY THAT) for almost all of their interactions with their customers or users.
The problem the NHS has had is historically stuff like registering with a GP surgery was handled at the practice level on paper forms, and the various national health services or regional health authorities didn't get directly involved. Commercial outfits stepped in.
| Reply to original comment on mastodon.online
@Edent oh yeah, this is a huge issue with things like phishing, too — GP surgeries love texting you "secure documents" that need your date of birth to download, which is not a great thing to train people to do
| Reply to original comment on gotosocial.i.eta.st
@Edent And if a business or service is serious about brand such as
nhs.uk, they would simply assign a subdomain to the authorised contractor(s), eg.waterloo.registrer.nhs.ukAnd later if the contract terminates (or goes south), the subdomain can be revoked/closed by the NHS.I always wonder why companies with perfectly good domains would need extra domains eg.
microsoft.comandwindowsupdate.comwhen it could bewindows.update.microsoft.com. Don't forget all those Windows telemetry domains gathering data.| Reply to original comment on tilde.zone
@eta @Edent trying to imagine this strange world where GPs communicate via any means other than the post and smoke signals to your local pharmacy (one of them)
| Reply to original comment on cathode.church
More comments on Mastodon.