The road to hell is paved with good intentions. The people
at the Royal Free NHS Trust and DeepMind presumably had parents or grandparents who told them that and I suspect it is a phrase that was familiar even in
Canada. So how come the breach of data protection principles outlined by the
Information Commissioner (here)
was not worthy of a monetary penalty?
I don’t have an answer.
It cannot be because the imposition of a penalty is a
pointless transfer of resources from one government body to another because the
history of monetary penalties includes many instances of fines imposed on local
government. Gloucester City Council is struggling to pay £100,000 because of a ‘serious
oversight’ and, yes, local people will notice the effect on services. Charities
have had to pay too.
It cannot be because the Stream project from DeepMind was so
innovative that nobody could have foreseen the data protection problems. The
need for a privacy impact assessment hasn’t suddenly been created – it has been
good practice for years. The absence of any such assessment should have been
enough to sweep away the ‘we just never thought’ excuses, which many find hard
to credit anyway.
It cannot be because sticking to the letter of data
protection law destroys innovation. The Information Commissioner is specific on
that – not surprisingly as it is a bonkers idea.
It’s worth reminding ourselves of some of the Information
Commissioner’s findings:
The Commissioner’s investigation has determined that under
the terms of the agreement with the Royal Free, DeepMind processed
approximately 1.6 million partial patient records for the purpose of clinical
safety testing without those patients being informed of this processing. The
Commissioner was not satisfied that the Royal Free had properly evidenced a
condition for processing that would otherwise remove the need to obtain the
informed consent of the patients involved and our concerns in this regard remain.
It is also the Commissioner’s view that, the Royal Free has
not, during her investigation, and to her satisfaction, evidenced a valid
condition for processing personal data under Schedule 21 to the Act during the
clinical safety testing phase of the application.
The Commissioner notes that the Royal Free has, since her
investigation began, made changes to improve transparency by way of additional
information displayed on its website, including information on live clinical
use.
I had hoped that the new Information Commissioner would be
tougher when it came to enforcement. The signs were good. But I see now a whole
new level of despair among privacy professionals about the failure to impose a
monetary penalty when 1.6 million patient records have been misused. What we
get instead is an undertaking to do what the Royal Free was always supposed to
have done and continues to be required to do under the law. It’s not enough.
Cards on the table and interest declared: I don’t want to
die when technology and the application of Big Data could have saved me. I
think DeepMind’s project and the news about the NHS whole genome screening are
welcome – nay, exciting – and should not be obstructed by fears of abuse. But failure
to punish breaches of data protection law in such a context merely serves to
undermine public confidence in such initiatives.
There comes a point when, whatever the mitigation and
however little is thereby achieved, the enforcement body has to mark its
disapproval by way of enforcing a penalty. It would be nice if the Information
Commissioner could bring herself to admit she got this one wrong and we could
all move on.