deep mind
long nose
The Royal Free NHS Foundation Trust failed to comply with the UK's Data Protection Act when it provided 1.6 million patient details to Google's DeepMind, the Information Commissioner's Office said today. The trust provided the personal data as part of a trial to test an alert, diagnosis and detection system for acute kidney …
The missing part is the bit where it says that Google were asked to delete all the potentially illegal data that they obtained through the project, and to allow independent oversight to ensure that this actually occurs.
I mean, that must have happened, surely? Right?
It is also missing the part where Google was investigated and fined. Afterall once the data was passed to Google they also became a Data Registrar and failed in their duty to lawfully hold sensitive personal data. There lawyers should have pointed out to them that insufficient due diligence and process had been carried out by the hospital. And of course Google actually has its own pockets to pay fines rather than it just being the tax payer paying.
Don't hold your breath.
One thing that was also not said anywhere is that it was illegal in itself to provide the data, or for Google to use it. The problem is not that they did it, but how they did it. It's illegal to drive over the speed limit, but the police doesn't make you go back home when they catch you.
Well, I'm glad all the other software suppliers to the NHS are under equivalent scrutiny, and this isn't actually the same kind of contract the Trust uses for each of them, he says sarcasticly.
Who knew anon-mapped retina scans were such a blackmarket goldmine?
"Fining the hospital will probably not help in these times,"
No, but someone signed off on the deal and there's no mention of anyone personally being fined or sacked for breaking the law. As we are all reminded constantly, not knowing the law is no excuse for breaking it. At least for us plebs.
I'm guessing they won't be reverting Deep Mind to a state of pre-illegal-data.
So now Deep Mind has gotten valuable learning from ill-gotten gains. Surely those who have provided this learning should be rightly compensated? Say a share of ownership over Deep Mind profits who which are to be distributed among all patients who had data used in the development? Or maybe simply a payoff from Google - how does £100,000 pr. patient sound?
Private healthcare data should be viewed as extremely valuable, so perhaps 100k is a bit low - but we gotta stay practical, right?
Well, we now have a tool to detect imminent kidney damage.
But we hate Google, so let's delete it, so they have to make it again, in exactly the same way, but with less data, because people are now afraid of it, so it may not work as well.
In other news: Doctor Hulk SMASH puny disease!
Heh. I'd settle simply for informed debate right now. Treatment doesn't require consent. But the doctors were NOT meant to be using it for treatment. Not treatment needs consent. But kidneys. Go figure. ICO went figure. But ICO no kill Google? ICO wrong! Kill Google! Hulk SMASH puny debate!
I'm digging up stuff that said Deepmind had access to a lot more data, but only in the sense every other medical researcher does, so, anonymised, in an armored silo, with a hard deletion date.
The hysteria is palpable.
They weren't using it for treatment, they were using it to guide their decision making process on what treatment to offer a patient. An the only reason any professional tend to use a tool if it works well, according to most people who have spoken about and use streams it works very well.
OK Godwins law time.....
A similar argument faced the allies on weather to use the data obtained by Nazi and Japanese human experiments, such as freezing people and trying to resuscitate them, setting off explosives near people to measure their effects at various ranges, or "cures" for fatal diseases.
The conclusion was that it was pointless to lose the results, as all those tortured, maimed and killed would of died in vain. But it still doesn't stop you hanging or gaoling all those responsible for the crimes.
So back to you.
"Well, we now have a tool to detect imminent kidney damage....But we hate Google, so let's delete it, "
Nope, but you could delete the source information (as you've clearly stated they now have the tool) and you can also prosecute everyone involved and fine the hell out of the companies involved.
"So back to you."
Er, okay, as requested, I invoke Godwin's-law-level of ridicule. On the one hand, lots of dead people, on the other hand... anonymised retina scans. Why did you do that?
"you could delete the source information (as you've clearly stated they now have the tool) and you can also prosecute everyone involved and fine the hell out of the companies involved."
Er, who said they weren't deleting the source information? And prosecute for what? Deepmind just got investigated to death, and weren't being evil. But people are angry that the facts aren't backing up their assumptions about Google cackling and rolling in cash made from their stolen data. People want blood!
and has never been used for anything other than delivering patient care or ensuring their safety.
But this is Google you're working with. Google. The company which became so embarrassed by its 'Don't be evil' slogan that it had to drop it, an admission that some of its actions had been markedly less than good.
Not!
Google really does need to stop [redacted] with our data. If they became honest they might get a bit of praise until then {and pigs will take to the air before that} I'd avoid Google and anything associated with Alphabet and any company they own or part own.
They are not alone on my naughty step. They sit alongside Microsoft, Oracle, Talk-Talk, Virgin Media, anything from the Murdoch empire and not forgetting BT.
Do you take pull requests? I'd like to offer the following additions:
Govia Thameslink Railway (Thameslink AND Southern Rail)
British Gas (lying bastards switched me back from alt provider against my specific instructions not to do so, billed me £400, then kept claiming to have tapes of the call where I agreed to be their customer -- to which I said jolly good, you can play them to the court then -- and then handed it over to a debt collection agency;
The Passport Office. What shit-for-brains thought FOR A SECOND that forcing applicants to submit selfies in place of passport booth snaps was a good idea, just so passports could be restricted to people with computers?;
WIley Fox: a flat out scam. DO NOT BUY A PHONE FROM THESE THIEVING BASTARDS.
Co-Op Bank. I'm currently 13 working days from reporting my card lost; the new one arrived in four working days, neither of the two PINs they claim to have sent me have arrived. Oh and they "forgot" to point out contactless payments don't poll your bank for funds, just authenticate the card, guaranteeing themselves hundreds of pounds I can't afford in bank charges in the last days of the month;
Amazon, of course, for obvious reasons;
....hmmm. Is anyone maintaining some sort of repo of evil, useless corporate shitgibbons?
What's the problem with WileyFox, other than making you use TrueCaller which breaches the data Protection Act by stealing all your contacts and publishing the names of owners of the phone numbers therein?
And all the other bundled spyware and the total lack of instructions, but knowing Google I fear that's probably the case with any Android device.
"We accept the ICO's findings and have already made good progress to address the areas where they have concerns. For example, we are now doing much more to keep our patients informed actually bothering to write to our patients to tell them that we slurped their data and about how their data is used. We would like to reassure patients that their information has been in our control at all times and has never been used for anything other than delivering patient care or ensuring their safety, but as much as we'd like to do that it's doubtful that they'll have any reason to believe us and will likely win if they choose to sue"
I'd that a good enough fix?
I've no idea why it's allowed to happen in England. This has always been a clear breach of the DPA, I'm a little confused why the ICO hasn't used a "monetary penalty" instead of a slap on the wrist, which is effectively all that's happened.
Their local Caldicott Guardian would have signed this off presumably, who's chasing him/her for an answer?
Because ICO don't look to punish but look to inform, advise and teach an work with companies and individuals to do so. They only tend to punish if companies or public institutions repeat offence and even then it tend to be for outright loss of data or potential loss of data, NHS losing unencrypted memory sticks multiple times,, Sony failing to have the recommended level of security for it systems despite being one of the most targeted companies on the planet.
In this case the hospital and Deepmind thought they were following the law but it turn out they weren't and instead they should have done things differently, no data was actually loss or was in any likely danger of being missed use by either party. A few other trusts are using similar deals as well with private companies that will be need to be redone and certainly how the NHS shares information from now on will have to change.
If NHS and private firms do sign similar deals in the future they are likely to be fine if anyone can be bothered to report them, let's be honest this probably wouldn't have gone to the ICO if it was anyone else other than Google doing the project. An NHS would carry on with similar practices up and down the country.
This post has been deleted by its author
Re: Scotland, you beat me to it almost, dare I say google Spire, The Nuggets that are the SNP have allowed 'anonymised' Scot NHS records to be used by any research depts/uni etc excl. marketing (cough) companies on an opt out basis for patients, not that they advertised it, let's hope the ICO can give them a friendly visit too, I would say Scot Govt. but this lot are more like Dictators. What could possibly go wrong?