back to article Google DeepMind trial failed to comply with data protection – ICO

The Royal Free NHS Foundation Trust failed to comply with the UK's Data Protection Act when it provided 1.6 million patient details to Google's DeepMind, the Information Commissioner's Office said today. The trust provided the personal data as part of a trial to test an alert, diagnosis and detection system for acute kidney …

  1. Forget It
    Meh

    deep mind

    long nose

  2. Electron Shepherd
    Unhappy

    Part of the article is missing

    The missing part is the bit where it says that Google were asked to delete all the potentially illegal data that they obtained through the project, and to allow independent oversight to ensure that this actually occurs.

    I mean, that must have happened, surely? Right?

    1. The Mole

      Re: Part of the article is missing

      It is also missing the part where Google was investigated and fined. Afterall once the data was passed to Google they also became a Data Registrar and failed in their duty to lawfully hold sensitive personal data. There lawyers should have pointed out to them that insufficient due diligence and process had been carried out by the hospital. And of course Google actually has its own pockets to pay fines rather than it just being the tax payer paying.

      1. Anonymous Coward
        Anonymous Coward

        Re: Part of the article is missing

        Don't hold your breath.

        One thing that was also not said anywhere is that it was illegal in itself to provide the data, or for Google to use it. The problem is not that they did it, but how they did it. It's illegal to drive over the speed limit, but the police doesn't make you go back home when they catch you.

      2. Daggerchild Silver badge

        Re: Part of the article is missing

        Well, I'm glad all the other software suppliers to the NHS are under equivalent scrutiny, and this isn't actually the same kind of contract the Trust uses for each of them, he says sarcasticly.

        Who knew anon-mapped retina scans were such a blackmarket goldmine?

    2. Adam 52 Silver badge

      Re: Part of the article is missing

      Or the bit where the GMC launch disciplinary proceedings against the doctor(s) involved for a gross breach of patient confidentiality?

  3. Dan 55 Silver badge
    Flame

    And the fine?

    Where's the fine?

    Fining the hospital will probably not help in these times, but Google needs a fine so it realises that patient data has a value.

    And pour encourager les autres. Everyone who takes on patient data needs to tread on eggshells.

    1. Doctor Syntax Silver badge

      Re: And the fine?

      "Google needs a fine so it realises that patient data has a value."

      I think it realises that quite well without a fine. It might come as a shock to them to discover that privacy also has a value - to the patients.

    2. John Brown (no body) Silver badge

      Re: And the fine?

      "Fining the hospital will probably not help in these times,"

      No, but someone signed off on the deal and there's no mention of anyone personally being fined or sacked for breaking the law. As we are all reminded constantly, not knowing the law is no excuse for breaking it. At least for us plebs.

    3. Anonymous Coward
      Anonymous Coward

      Re: And the fine?

      perhaps if they just paid the tax on the profits derived from their UK sales that might raise a larger amount.

  4. Anonymous Coward
    Anonymous Coward

    "Saw this coming"

    - Every single single commentard when this was announced.

  5. Anonymous Coward
    Anonymous Coward

    Maybe we are setting them up for a massive fine via the GDPR.

    That would be nice seeing as though they pay f*ck all tax.

    1. Anonymous Coward
      Anonymous Coward

      I must admit. I’m holding off on a few things until after GDPR when the punishments get much bigger. Usually where I’ve pointed out huge gaping security holes, then I’ve been quietly swept out of the organisation so no-one needs deal with it.

  6. Anonymous Coward
    Anonymous Coward

    Deep Mind keeps the learning though?

    I'm guessing they won't be reverting Deep Mind to a state of pre-illegal-data.

    So now Deep Mind has gotten valuable learning from ill-gotten gains. Surely those who have provided this learning should be rightly compensated? Say a share of ownership over Deep Mind profits who which are to be distributed among all patients who had data used in the development? Or maybe simply a payoff from Google - how does £100,000 pr. patient sound?

    Private healthcare data should be viewed as extremely valuable, so perhaps 100k is a bit low - but we gotta stay practical, right?

    1. Daggerchild Silver badge

      Re: Deep Mind keeps the learning though?

      Well, we now have a tool to detect imminent kidney damage.

      But we hate Google, so let's delete it, so they have to make it again, in exactly the same way, but with less data, because people are now afraid of it, so it may not work as well.

      In other news: Doctor Hulk SMASH puny disease!

      1. Alan Ferris

        Re: Deep Mind keeps the learning though?

        Or you could ask people if they want to take part in medical research.

        Just as with the use of other bits of my body, informed consent is the key.

        1. Daggerchild Silver badge

          Re: Deep Mind keeps the learning though?

          Heh. I'd settle simply for informed debate right now. Treatment doesn't require consent. But the doctors were NOT meant to be using it for treatment. Not treatment needs consent. But kidneys. Go figure. ICO went figure. But ICO no kill Google? ICO wrong! Kill Google! Hulk SMASH puny debate!

          I'm digging up stuff that said Deepmind had access to a lot more data, but only in the sense every other medical researcher does, so, anonymised, in an armored silo, with a hard deletion date.

          The hysteria is palpable.

          1. David 164

            Re: Deep Mind keeps the learning though?

            They weren't using it for treatment, they were using it to guide their decision making process on what treatment to offer a patient. An the only reason any professional tend to use a tool if it works well, according to most people who have spoken about and use streams it works very well.

      2. Anonymous Coward
        Anonymous Coward

        Re: Deep Mind keeps the learning though?

        OK Godwins law time.....

        A similar argument faced the allies on weather to use the data obtained by Nazi and Japanese human experiments, such as freezing people and trying to resuscitate them, setting off explosives near people to measure their effects at various ranges, or "cures" for fatal diseases.

        The conclusion was that it was pointless to lose the results, as all those tortured, maimed and killed would of died in vain. But it still doesn't stop you hanging or gaoling all those responsible for the crimes.

        So back to you.

        "Well, we now have a tool to detect imminent kidney damage....But we hate Google, so let's delete it, "

        Nope, but you could delete the source information (as you've clearly stated they now have the tool) and you can also prosecute everyone involved and fine the hell out of the companies involved.

        1. Daggerchild Silver badge

          Re: Deep Mind keeps the learning though?

          "So back to you."

          Er, okay, as requested, I invoke Godwin's-law-level of ridicule. On the one hand, lots of dead people, on the other hand... anonymised retina scans. Why did you do that?

          "you could delete the source information (as you've clearly stated they now have the tool) and you can also prosecute everyone involved and fine the hell out of the companies involved."

          Er, who said they weren't deleting the source information? And prosecute for what? Deepmind just got investigated to death, and weren't being evil. But people are angry that the facts aren't backing up their assumptions about Google cackling and rolling in cash made from their stolen data. People want blood!

    2. David 164

      Re: Deep Mind keeps the learning though?

      so we should stop Deepmind from providing a service that the NHS and it doctors are finding useful for saving lives and maximising staff precious time?

  7. Redstone
    WTF?

    What did they expect?

    The Google data vortices will never knowingly suck up less personal data than the NSA and GCHQ combined.

  8. Rich 11

    Gah!

    and has never been used for anything other than delivering patient care or ensuring their safety.

    But this is Google you're working with. Google. The company which became so embarrassed by its 'Don't be evil' slogan that it had to drop it, an admission that some of its actions had been markedly less than good.

    1. Gerry 3
      Boffin

      Re: Gah!

      No, they just corrected their spelling mistake, they changed 'Do No Evil' to 'Do Know Evil'...

  9. Anonymous Coward
    Anonymous Coward

    Quel Surprise

    Not!

    Google really does need to stop [redacted] with our data. If they became honest they might get a bit of praise until then {and pigs will take to the air before that} I'd avoid Google and anything associated with Alphabet and any company they own or part own.

    They are not alone on my naughty step. They sit alongside Microsoft, Oracle, Talk-Talk, Virgin Media, anything from the Murdoch empire and not forgetting BT.

    1. Amorous Cowherder
      Facepalm

      Re: Quel Surprise

      A point of pedantry, the phrase "Quel Surprise" is more often than not used sarcastically to state there is no surprise. There really is no need to use the hideous Americanism of appending "Not!" after it in order to state you're being sarcastic.

    2. Tom Paine
      Flame

      Re: Quel Surprise

      Do you take pull requests? I'd like to offer the following additions:

      Govia Thameslink Railway (Thameslink AND Southern Rail)

      British Gas (lying bastards switched me back from alt provider against my specific instructions not to do so, billed me £400, then kept claiming to have tapes of the call where I agreed to be their customer -- to which I said jolly good, you can play them to the court then -- and then handed it over to a debt collection agency;

      The Passport Office. What shit-for-brains thought FOR A SECOND that forcing applicants to submit selfies in place of passport booth snaps was a good idea, just so passports could be restricted to people with computers?;

      WIley Fox: a flat out scam. DO NOT BUY A PHONE FROM THESE THIEVING BASTARDS.

      Co-Op Bank. I'm currently 13 working days from reporting my card lost; the new one arrived in four working days, neither of the two PINs they claim to have sent me have arrived. Oh and they "forgot" to point out contactless payments don't poll your bank for funds, just authenticate the card, guaranteeing themselves hundreds of pounds I can't afford in bank charges in the last days of the month;

      Amazon, of course, for obvious reasons;

      ....hmmm. Is anyone maintaining some sort of repo of evil, useless corporate shitgibbons?

      1. Gerry 3

        Re: Tom

        What's the problem with WileyFox, other than making you use TrueCaller which breaches the data Protection Act by stealing all your contacts and publishing the names of owners of the phone numbers therein?

        And all the other bundled spyware and the total lack of instructions, but knowing Google I fear that's probably the case with any Android device.

    3. RyokuMas
      Devil

      Re: Quel Surprise

      Strikes me that Google is becoming some kind of data-driven Uber, doing whatever they please and occasionally getting caught. Except they have the money to laugh off the small fines and buy off pretty much anyone they want.

  10. Third Man
    FAIL

    What is the sound of a stable door not being closed?

    1. Tim99 Silver badge

      "What is the sound of a stable door not being closed?

      Loud squealing and slamming sounds when the storm comes?

  11. Hollerithevo

    we need a new icon

    -<<<<<<<<- feather, as in, 'could knock me down with a'

    1. graeme leggett Silver badge

      Re: we need a new icon

      Or a Claude Rains/Captain Louis Renault icon

      " I am shocked- shocked- to find that [bleeding obvious] is going on in here"

  12. Tom Paine

    I'm looking forward...

    ... to "commit[ting[ to changes ensuring [I will ] act in line with the law by signing an undertaking" next time I get stopped for speeding. I'm sure traffic patrol will be happy with that.

    1. GrapeBunch

      Re: I'm looking forward...

      If you do wrong one to nine times, that's a crime. If you do wrong ten to a trillion times, that's business.

    2. David 164

      Re: I'm looking forward...

      actually for a first time offence this is exactly what traffic cops do. So you are actually validating the ICO tactics as this is the first time Deepmind has been found guilty by them.

  13. John Smith 19 Gold badge
    FAIL

    "The Data Protection Act..not a barrier to innovation, but it does need to be considered

    wherever people's data is being used."

    and yet, despite the several decades since it was put on the statute books parts of the NHS still don't.

  14. Tromos

    My bad.

    I was under the assumption that the very essence of data protection lay in keeping your data away from Google.

  15. bazza Silver badge

    Fixed?

    "We accept the ICO's findings and have already made good progress to address the areas where they have concerns. For example, we are now doing much more to keep our patients informed actually bothering to write to our patients to tell them that we slurped their data and about how their data is used. We would like to reassure patients that their information has been in our control at all times and has never been used for anything other than delivering patient care or ensuring their safety, but as much as we'd like to do that it's doubtful that they'll have any reason to believe us and will likely win if they choose to sue"

    I'd that a good enough fix?

    1. j.bourne

      Re: Fixed?

      Upvote for distinguishing the difference between 'We would like to...' and 'We can'/'We will'

      As in "I would like to say I'm stinking rich".... "But, I can't, because I'm not."

  16. Anonymous Coward
    Anonymous Coward

    This wouldn't happen in Scotland

    I've no idea why it's allowed to happen in England. This has always been a clear breach of the DPA, I'm a little confused why the ICO hasn't used a "monetary penalty" instead of a slap on the wrist, which is effectively all that's happened.

    Their local Caldicott Guardian would have signed this off presumably, who's chasing him/her for an answer?

    1. David 164

      Re: This wouldn't happen in Scotland

      Because ICO don't look to punish but look to inform, advise and teach an work with companies and individuals to do so. They only tend to punish if companies or public institutions repeat offence and even then it tend to be for outright loss of data or potential loss of data, NHS losing unencrypted memory sticks multiple times,, Sony failing to have the recommended level of security for it systems despite being one of the most targeted companies on the planet.

      In this case the hospital and Deepmind thought they were following the law but it turn out they weren't and instead they should have done things differently, no data was actually loss or was in any likely danger of being missed use by either party. A few other trusts are using similar deals as well with private companies that will be need to be redone and certainly how the NHS shares information from now on will have to change.

      If NHS and private firms do sign similar deals in the future they are likely to be fine if anyone can be bothered to report them, let's be honest this probably wouldn't have gone to the ICO if it was anyone else other than Google doing the project. An NHS would carry on with similar practices up and down the country.

  17. This post has been deleted by its author

  18. Number_6

    Meanwhile in Scotland.......

    Re: Scotland, you beat me to it almost, dare I say google Spire, The Nuggets that are the SNP have allowed 'anonymised' Scot NHS records to be used by any research depts/uni etc excl. marketing (cough) companies on an opt out basis for patients, not that they advertised it, let's hope the ICO can give them a friendly visit too, I would say Scot Govt. but this lot are more like Dictators. What could possibly go wrong?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like