NHS Sharing Data With Google Data Sharing Not Compliant Says ICO
A deal which led to the sharing of healthcare records of 1.6 million patients in the UK with Google’s AI company ‘DeepMind’ has been judged by the UK data protection watchdog the Information Commissioner’s Office (ICO) to have not complied with the Data Protection Act.
What Deal?
Back in May 2016 a data sharing agreement between Google’s A.I. Company DeepMind and the Royal Free NHS Trust meant that Google was granted access to the information of the patients for 5 years up to 2017 of 3 London Hospitals, namely; Barnet, Chase Farm and the Royal Free Hospital.
The information was intended to be used by Google for the specific purpose of developing an app called ‘Streams’ to alert doctors when a person is at risk of developing acute kidney injury (AKI). NHS figures at the time showed the need for such an app because kidney injuries were believed to cause 40,000 deaths a year in the UK.
What Went Wrong?
A member of the public complained, the ICO investigation took place, and it was reportedly found that there were some shortcomings in how the data was handled e.g. some patients were not adequately informed that their data would be used as part of the deal. This led to concerns being raised about transparency for patients about how records were being used.
Protection
The Royal Free Trust originally stated that the patient data that Google would be given access would be encrypted, and that the Google DeepMind employees working on the project would not be able to identify any individuals from it.
There were also assurances that Google could not use the data in any other part of its business; that the data would be stored in the UK by a third party, and that all data will be deleted when the agreement expires at the end of September 2017.
Not Unusual
Despite concerns being raised in the media when the deal was first announced, the Royal Free NHS Trust pointed out that information sharing agreements of this kind weren’t unusual and that it was one of 1,500 agreements with third-party organisations that process NHS patient data.
Now What?
The ICO has now asked for the Trust to commit to changes which will ensure that it is acting within the law by signing an undertaking. The Trust has been asked to establish a proper legal basis under the Data Protection Act for the Google DeepMind project (and for future such projects), to complete a privacy impact assessment, to commission an audit of the trial and share the results with the ICO, and to show how it will comply with its duty of confidence to patients in any future trial involving personal data.
What Does This Mean For Your Business?
If your organisation works in a medical field or develops products or services with medical applications or inputs, an agreement of this nature with the NHS or a private health company could represent an R&D opportunity. As the national data guardian Fiona Caldicot pointed out in this case, there was huge potential that creative use of data could have on patient care and clinical improvements.
This story is, however, a reminder that companies / project partners should always be very clear on the Data Protection law (and GDPR as it will be next year) before embarking on a project. It also illustrates how privacy impact assessments are an important data protection tool in digital innovation, and how, just because new technologies enable businesses to do more, it does not mean these tools should always be fully utilised. The price of innovation shouldn’t be the erosion of legally ensured fundamental privacy rights, and the costs for companies that don’t take account of this could be great.
AA Website Shop Data Breach
Reports have surfaced of a data breach in April this year in the website shop of motoring / breakdown company the AA which left a large (13 gigabyte) cache of data, including personal customer data viewable online for several days.
What Happened?
Security researcher Scott Helme from ‘Motherboard’, and Troy Hunt of website ‘Have I Been Pwned’ reportedly discovered that a breach in the AA website meant that, what the AA blamed on a server “misconfiguration” actually meant that a huge file, allegedly containing addresses, names and parts of payment card numbers was left exposed online.
Mr Hunt and Mr Helme reported finding 117,000 unique email addresses in the exposed file along with names, net addresses, credit card types, expiry dates and the final four digits of the card.
Motherboard and ‘Have I Been Pwned’ subscribers / victims whose information was included in the exposed database were contacted to verify if the details were genuine and accurate, which they were reportedly found to be.
The AA Said…
AA president Edmund King is reported to have said that they first learned about the problem on 22 April. Soon after discovery, the firm that runs the shop on the AA’s behalf was told about the problem, and the vulnerability and the issue was resolved on 25 April. The AA has also reportedly said that, even though the database file was exposed, no (customer) payment details were compromised.
The AA Have Done…
Reports indicate that the AA have stated that they take data security very seriously, opened an independent inquiry into the issue, informed the UK’s data watchdog, the ICO, and issued legal letters warning against a dissemination breach under the ‘Computer Misuse Act’.
Criticism
The reported criticism of those who discovered and made the details of the breach public appear to focus of accusations that the AA may have not informed of all of the affected customers about the existence and the seriousness of the breach, and may in effect have kept quiet about it until others made it public.
What Does This Mean For Your Business?
This is another example, in what appears to be a long line of customer data breaches, involving high profile, well-known companies. This story is a reminder that, particularly with GDPR coming into force next year, companies need to be very familiar with, and to ensure that they comply with data protection regulations, and to realise that they are obliged by law to keep people’s personal information safe and secure.
Companies need to be as transparent as possible to customers about data breaches, and to inform them when data is exposed, rather than trying to keep quiet.
Businesses can help themselves and their customers avoid heartache by making sure that web and data security are issues that are prioritised, practices and systems are regularly reviewed and assessed for risk to make sure they are effective, compliant, and up to date, and that Disaster Recovery Plans are in place.
Government Boosts Digital/Tech Industry with £700m Fund
The government has provided a boost to the UK’s digital and technology industries in the form of £700m of funding as part of the launch of its Industrial Strategy Challenge Fund.
Announced Last Year
The Industrial Strategy Challenge Fund was announced last year by Prime Minister Theresa May at the CBI Annual Conference in November, and is intended to be a strategic part of the government’s Industrial Strategy.
The big idea is that the fund can enable businesses and researchers to work together to identify industrial and societal challenges that are crucial to the UK economy, and offer opportunities for UK businesses to exploit these through innovation and positioning in e.g. a large or fast-growing and sustainable global market.
Divided Into Core Areas
The funding, which will be managed by the Engineering and Physical Sciences Research Council (EPSRC) and the UK government’s innovation agency, Innovate UK, will be divided into six core areas.
These are the development of new battery technologies for electric cars, robotics and AI systems for use in “extreme” environments, innovative technologies in aid of patients seeking new drugs and treatments faster, driverless automobile AI tech, aerospace materials and a satellite test facility.
Robots & AI First
The first competition for funding will be the development of robotics and artificial intelligence systems that can be deployed in extreme environments. In this first round, £42 million is up for grabs for research hubs that can translate fundamental science in robotics and AI into real-world applications.
The Largest Sum
The largest sum of £246 million funding will be available, as part of the ‘Faraday Challenge’, for businesses that can help the country move towards a low-carbon economy, through researching, developing and manufacturing batteries for electric vehicles.
What Does This Mean For Your Business?
The UK has big ambitions to be a leading global digital and technology competitor, but also faces many challenges in enabling it to get there, such as a technology skills gap, difficulty in raising funding by traditional means, and the uncertainty of the possible effects of Brexit.
This Industrial Challenge fund could, therefore, be an important enabler for the tech industry and the economy as a whole by opening up new possibilities for the country, and by helping the UK to have an opportunity to lead the world in developing the kind of science that underpins new technologies and their applications. This could also provide many spin-off benefits and opportunities for many other UK businesses e.g. as suppliers to the new industries.
Amazon To Revolutionise Grocery Delivery?
Amazon is entering the grocery delivery business with its bid to buy Whole Foods Market Inc. for $13.7 billion but industry insiders say that it’s going to be a long and costly process for Amazon to revolutionize grocery delivery the way they revolutionized online retailing.
Not As Much Warehouse Space As Wal-Mart
Even though Amazon is well known for having a large amount of warehouse space, one key challenge that Amazon faces is the relative scale of its warehousing for the Whole Foods business. According to logistics consulting firm MWPVL International Inc., for example, Amazon has 3 million square feet of U.S. warehousing dedicated to its Amazon Fresh and Prime Pantry grocery programs. This is only one-tenth of the warehouse space that Wal-Mart has for specialized food distribution.
This has led some former Amazon Fresh employees and logistics experts to conclude that Amazon will need to significantly grow its network of specialized grocery distribution warehouses in order to compete with Wal-Mart.
Fresh Food Different To Parcels
Another challenge for Amazon is that even though it has warehouses strategically located throughout America, along with 100 million square feet of fulfillment and data centers equipped with the latest robotics, warehouse facilities for fresh food distribution are far different to (and more complicated than) ordinary warehouses.
A single facility may need more than six different temperature settings to store products from ice cream to fruits. Some facilities may require certification from the US Food and Drugs Administration. There are also additional maintenance and cleanliness factors to be addressed e.g. for pest control and to avoid food contamination.
Big Investment Needed
All of these factors have led industry commentators to conclude that Amazon will need to invest a very significant amount of money into its fresh grocery business in a short space of time if it wants to become a serious competitor to Wal-Mart.
For example, Industry analysts predict that Amazon will have to add 12 or more warehouses if it wants to supply Whole Food stores, as well as running its normal home delivery operation.
Space Issue
It is thought that Amazon will likely to use United Natural Foods Inc. to supply Whole Foods with hard-to-source products, but even if Amazon uses Whole Foods stores to provide food for delivery, many of their outlets lack space to handle thousands of online orders.
What Does This Mean For Your Business?
Amazon has grown and diversified at an incredible rate in recent years, blurring the traditional retail dividing lines between e-commerce and brick-and-mortar. Its move to revolutionize US grocery delivery business and take on the entrenched might and experience of Wal-Mart through the acquisition of Whole Foods Market Inc could seriously disrupt the U.S. grocery sector, but this will clearly require a lot more investment from Amazon if it is to be successful.
Even though there are significant challenges ahead for Amazon in terms of the type and number of warehouses needed to handle fresh groceries, many commentators agree that Amazon’s size, financial might and track record of entering news markets mean that it could well succeed.
The worry is that, if Amazon is successful in revolutionizing the fresh grocery market in the US, it could use this experience to set up a similar operation in the UK. This would pose a serious threat to UK grocery retailers. It could also, however, provide new opportunities to fresh grocery producers in the UK.
Gmail Ads Will Not Be Scanned Anymore
Google Cloud Computing Chief Diane Greene said in a blog post on Friday that Google will stop scanning Gmail content for creating personalized ads. This move, due to happen later this year, is in line with Google’s enterprise offering, G Suite.
G Suite Gmail Already Not Used
Diane Greene has said that G Suite’s Gmail is already not used as input for ads personalization. G suite is Google’s set of (cloud based) intelligent apps (Gmail, Docs, Drive and Calendar) that is designed to help organizations to work collaboratively regardless of their physical location.
Significant
The announcement that Google will stop using the scanned content from Gmail outside of G Suite is significant because the Gmail service is estimated to have more than 1.2 billion users worldwide (compared to G Suite’s 3 million), and it should please privacy campaigners worldwide.
How Do Personalised Ads Work?
Personalised / targeted online adverts work by using a person’s browsing habits combined with other data collected from their online activities to display adverts that are more personalised or more likely to be relevant to that person’s likes and tastes, and may therefore be more successful. Advertisers claim that people look more positively on relevant adverts, and that their clients (the businesses buying the adverts) can make a better ROI using this method.
Privacy campaigners on the other hand object to too much monitoring and sharing and cross-referencing of a person’s data, and the fact that it can make the individual identifiable, and, therefore, could pose a security risk and / or give companies too much control.
It is common knowledge that Google has in fact been accessing its users ‘Gmail’ email service since its inception, to create the adverts which are shown to individual users with that email service.
Back in June last year, Google changed the way it tracks its users across the internet by combining users’ personally identifiable information from Gmail, YouTube and other accounts with their browsing records, despite previously pledging that these data sets would be kept separate to protect individuals’ privacy.
Users could opt-out of being tracked this way by visiting the activity controls section of their account page, and by then unticking the box marked “Include Chrome browsing history and activity from websites and apps that use Google services”.
Not The Only Ones
Google is certainly not the only company to track users and use their history, activity and content to deliver targeted ads. Facebook, for example, tracks likes and shares, and many websites that we all visit share our activities with networks of third parties who share, collaborate, link and de-link personal information to generate target ads.
What Does This Mean For Your Business?
Businesses clearly need to be able to advertise their products and services in order to sell them, and online advertising can be an immediate and cost effective option, particularly if it is intelligently targeted.
Too much online advertising, however, can be very frustrating for web users because it can hinder access to content and waste time, plus, in times where cyber crime levels are high and GDPR is on the way, we all need to able to (and are being given more powers to) protect our personal data.
This move by Google is therefore likely to be broadly welcomed, and is likely to provide Google with some good PR, although there will still be other ways that Google will collect information about us online to keep tailoring advertisements. For example, this could still include data from the videos we watch on YouTube, and what we search for online and through Google Chrome (if we’re signed into our Google accounts). Google will also still be able to scan the contents of our emails for anti-spam, anti-phishing, malware detection services.
It is possible to check how Google targets its adverts by going to the “Ads settings” option within Gmail.
Virgin Media Advises Customers To Change Default Passwords
Virgin Media has advised its 800,000 customers to change their passwords to reduce the risk of hacking after finding that many customers were still using risky default network and router passwords.
Recent Which? Report
One of the catalysts for Virgin Media advising customers to change their passwords was an investigation by Which? highlighting the fact that keeping the default password could make it easier for hackers to potentially access the provider’s Super Hub 2 router. This, in turn, could enable them to access a user’s smart appliances / IoT devices such as domestic CCTV cameras or even a child’s toy.
Hackers Could See Inside Your Home
The investigative study by Which? in conjunction with ethical security researchers SureCloud found that fifteen devices were tested, eight of which were found to have security issues. In one case, a home CCTV system was hacked because the administrator account was not password protected. Hackers were able to see live pictures and in some instances, were able to move cameras inside the house. Which? is now calling for the industry to improve basic security provisions.
IoT Risk
It has long been known that not changing the default password in smart / Internet of Things (IoT) devices around the home for example, could put them at greater risk of being taken over by hackers.
The fact that IoT devices have a connection to the Internet, are prevalent, and are often overlooked in security planning (and are therefore likely left unguarded) means that they are vulnerable to hacks and attacks. Also, many tend to be connected to (or in control of) physical objects in homes and businesses e.g. white goods, CCTV cameras, printers elevators, doors, heating or fire safety systems.
IoT devices are also deployed in many systems that link to and are supplied by major utilities e.g. smart meters in homes. This means that a large scale attack on these systems could affect the economy.
Hackers have also shown that they can take over large numbers of IoT devices at once and use them as a botnet to attack other systems e.g. the ‘Mirai’ attack in October 2016.
Virgin Media Super Hub 2 Security Flaw
Earlier this month, Virgin Media’s (Netgear) Super Hub 2 and Super Hub 2 AC home routers made the news when a security patch had to be rolled out for them after they were found to all have exactly the same private encryption key, thus making them more vulnerable to hacks.
What Does This Mean For Your Business?
In this case, Virgin Media has acted quickly to avoid potentially bigger problems and has assured customers that the security of their systems and equipment is continually upgraded.
One positive aspect of this situation is that it has raised awareness of the vulnerability of IoT devices to attack. The message to users is, of course, that it is good practice to change default passwords on new devices e.g. routers and other IoT devices as soon as possible after setup.
Manufacturers and retailers of smart home and business devices also need to take some responsibility for minimizing the security risks in their products e.g. by building in better security features and by issuing regular updates and patches, and by informing buyers of the security measures that they need to take to use devices safely .