UK government releases NHS covid-19 data sharing agreements

Following significant pressure from groups such as OpenDemocracy and Foxglove the UK government has released its data sharing contracts with companies such as Amazon, Google and Microsoft for the creation of a cloud database for sharing covid-19 related data. Contracts with AI firms Planatir and Faculty were also released.

This promotes transparency and accountability around efforts to establish contract tracing technology and centralised databases to combat covid-19. The potential access to high volumes of healthcare data via these databases merits high levels of scrutiny under privacy and data protection laws. However, groups such as openDemocracy raised concerns around sharing high volumes of NHS data and the risk posed by significant third party exposure. In particular, it criticized the credibility of AI firms Planatir and Faculty.

In a recent press release from openDemocracy the contracts were made public:

View Google NHS agreements (PDF, 0.7 MB)

View Faculty NHS agreements (PDF, 0.9 MB)

View Palantir NHS agreements (PDF, 11.6 MB)

View Microsoft NHS agreements (PDF, 1.5 MB)

NHS England has also released the Data Protection Impact Assessment which was undertaken prior to forming a centralised data storage facility for covid-19 related data. This database holds data ranging from regional infection maps to 911 call data and bed capacities.

The NHS uses a ‘cloud first’ approach to ensuring that data is leveraged most effectively. All data is collated in a cloud database allowing for security and accessibility.

Morrisions data breach vicarious liability case before UK Supreme Court

Following its data breach in November 2013 the Morrisons data breach case is now before the UK Supreme Court. The breach involved the personal data of 5,500 employees.

An employee, Mr Skelton, took a memory stick containing the records of employees home. In January 2014 he uploaded the contents onto a data sharing website, later sending it to newspapers. Continue reading

Data protection rights

Personal data, such as your name, likeness, birthday or any other information which can be used to identify you is highly sensitive.

Protecting and bringing actions on the basis of your personal data being harvested, used or misused is a key foundational right to privacy. Continue reading

£3billion class action against Google given the go-ahead – Lloyd v Google LLC [2019] EWCA Civ 1599

Mr Lloyd, a consumer protection advocate, brought a claim against Google for damages on behalf of 4m Apple iPhone users. It was alleged that Google secretly tracked some of their internet activity for commercial purposes between 9 August 2011 and 15 February 2012. Continue reading

Police forces use of facial recognition software determined lawful – R (Bridges) v Chief Constable of South Wales Police [2019] EWHC 2341 (Admin)

“The algorithms of the law must keep pace with new and emerging technologies.”- at p[1]

The Facts

The Administrative Court, with Haddon-Cave LJ and Swift J sitting, has heard the first case on the lawfulness of the police using automated facial recognition software (“AFR”). The case concerned the South Wales Police (“SWP”) use of AFR in two instances where they allegedly recorded the image of the Claimant. Once on 21 December 2017 at Queen Street Cardiff and another at the Defence Procurement, Research, Technology and Exportability Exhibition (“the Defence Exhibition”) on 27 March 2018. Continue reading

5 ways to promote data privacy

Opt-ins and diversify basis’ for processing data

User consent underpins data protection rights as a lawful basis for processing. The consent-based mechanism is just one lawful basis for processing but the most debated. This is primarily around the slow abolition of opt-out consent as a legitimate mechanism for obtaining consent. Continue reading

Voice command data and privacy protection, Part II- Apple’s Siri

Apple recently released a statement on its development of automated assistant Siri’s privacy protections. The result is a move towards doing everything right in safeguarding consumer privacy. When compared to Amazon’s protections for its Alexa service market shifts and best practice become clear, making for better adherence to the seven data protection principles underpinning the GDPR.
Continue reading