Sometimes a punishment is necessary – even when it’s pointless. Laurence Eastham joins the despair over the ICO’s approach on enforcement in light of the Royal Free/DeepMind ‘failure to comply’
The road to hell is paved with good intentions. The people at the Royal Free NHS Trust and DeepMind presumably had parents or grandparents who told them that and I suspect it is a phrase that was familiar even in Canada. So how come the breach of data protection principles outlined by the Information Commissioner (here) was not worthy of a monetary penalty?
I don’t have an answer.
It cannot be because the imposition of a penalty is a pointless transfer of resources from one government body to another because the history of monetary penalties includes many instances of fines imposed on local government. Gloucester City Council is struggling to pay £100,000 because of a ‘serious oversight’ and, yes, local people will notice the effect on services. Charities have had to pay too.
It cannot be because the Stream project from DeepMind was so innovative that nobody could have foreseen the data protection problems. The need for a privacy impact assessment hasn’t suddenly been created – it has been good practice for years. The absence of any such assessment should have been enough to sweep away the ‘we just never thought’ excuses, which many find hard to credit anyway.
It cannot be because sticking to the letter of data protection law destroys innovation. The Information Commissioner is specific on that – not surprisingly as it is a bonkers idea.
It’s worth reminding ourselves of some of the Information Commissioner’s findings:
The Commissioner’s investigation has determined that under the terms of the agreement with the Royal Free, DeepMind processed approximately 1.6 million partial patient records for the purpose of clinical safety testing without those patients being informed of this processing. The Commissioner was not satisfied that the Royal Free had properly evidenced a condition for processing that would otherwise remove the need to obtain the informed consent of the patients involved and our concerns in this regard remain.
It is also the Commissioner’s view that, the Royal Free has not, during her investigation, and to her satisfaction, evidenced a valid condition for processing personal data under Schedule 21 to the Act during the clinical safety testing phase of the application.
The Commissioner notes that the Royal Free has, since her investigation began, made changes to improve transparency by way of additional information displayed on its website, including information on live clinical use.
I had hoped that the new Information Commissioner would be tougher when it came to enforcement. The signs were good. But I see now a whole new level of despair among privacy professionals about the failure to impose a monetary penalty when 1.6 million patient records have been misused. What we get instead is an undertaking to do what the Royal Free was always supposed to have done and continues to be required to do under the law. It’s not enough.
Cards on the table and interest declared: I don’t want to die when technology and the application of Big Data could have saved me. I think DeepMind’s project and the news about the NHS whole genome screening are welcome – nay, exciting – and should not be obstructed by fears of abuse. But failure to punish breaches of data protection law in such a context merely serves to undermine public confidence in such initiatives.
There comes a point when, whatever the mitigation and however little is thereby achieved, the enforcement body has to mark its disapproval by way of enforcing a penalty. It would be nice if the Information Commissioner could bring herself to admit she got this one wrong and we could all move on.