If your organisation handles personal data, you need to fully understand your legal obligations. Failure to do so could land you with severe problems, as one NHS hospital recently discovered.
The UK’s Information Commission (ICO) recently ruled that the Royal Free NHS Foundation Trust did not do enough to protect the privacy of patients when it shared data with Google.
Details on about 1.6 million patients was provided to Google’s DeepMind division during the early stages of an app test last year, the BBC has reported.
The information was used to develop and refine an alert, diagnosis and detection system that can spot when patients are at risk of developing acute kidney injury (AKI).
The deal first became public in February 2016 and caused controversy over the amount of patient information being shared without public consultation.
In March this year, an academic report into the way patient data had been handled found “inadequacies” in the way information had been handed over. The authors said that it was “inexcusable” that patients had not been told about what had been happening to their data.
Information Commissioner Elizabeth Denham censured the Royal Free NHS Foundation Trust, saying attempts to make creative use of data had to be carefully managed.
“The price of innovation does not need to be the erosion of fundamental privacy rights,” she said.
The trust has not been fined as a result of the investigation but it has signed an undertaking to make changes to the way it handles data.
In a statement, the Royal Free said: “We accept the ICO’s findings and have already made good progress to address the areas where they have concerns.”
Google said it welcomed the “thoughtful resolution” of the case and added that it would reflect on its involvement with the hospitals.
How can our Business Law Solicitors help?
Understanding the requirements of the Data Protection Act 1998 is a key responsibility for any business. And if your organisation deals with public bodies such as local authorities and councils, you need to understand your obligations under the Freedom of Information Act 2000.
Last year the Government confirmed it will be adopting the European General Data Protection Regulation (GDPR) – and while complying with the existing data protection regime should give businesses a head start, the GDPR introduces new concepts.
It comes into force on May 25, 2018, introduces a risk-based approach to compliance and requires various documents to be maintained.
At Gotelee, our specialist team of business law solicitors can help ensure you don’t fall foul of the law and leave yourself exposed to a severe penalty. We can give advice on all aspects of data protection and freedom of information, as well as the incoming GDPR.