On 9 July 2019 the UK data protection authority updated its Data Sharing Code of Practice (first published in 2011). On the same day, the ICO also announced its intention to fine Marriott International just over £99m for infringements of the General Data Protection Regulation, highlighting the importance of due diligence in the context of data sharing.
The Information Commissioner’s Officer ruled, on 3 July 2017, that the Royal Free NHS Foundation Trust had failed to comply with the Data Protection Act 1998 when it provided 1.6 million patient details to Google DeepMind as part of a trial diagnosis and detection system for acute kidney injury, and required the Trust to sign an undertaking. The investigation brings together some of the most potent and controversial issues in data privacy today; sensitive health information and its use by the public sector to develop solutions combined with innovative technology driven by a sophisticated global digital company. This analysis provides insight on the investigation into Google DeepMind with focus on how the General Data Protection Regulation may impact the use of patient data going forward.
“A new law will ensure that the United Kingdom retains its world-class regime protecting personal data”. This is today’s strong statement by Her Majesty The Queen reflecting the level of priority given by the UK government to privacy and data protection. Aside from the political controversies surrounding the recent general Election and the prospect of Brexit, the Queen has confirmed that during this Parliament the government intends to pass a new Data Protection Act replacing the existing one.
Last week, the UK’s Information Commissioner’s Office published a monetary penalty notice, which fined a private healthcare company, HCA International, £200,000 for its failure to keep sensitive data secure.
A Scottish council has been required to provide data indicating whether it pays traditionally “male” jobs more than traditionally “female” roles, after the Supreme Court rejected its argument that Data Protection legislation prevented disclosure. The case provides clarification on what is meant by the requirement that disclosure, and other forms of data processing, be “necessary” for the purposes of a legitimate interest.