UK government releases NHS covid-19 data sharing agreements

Following significant pressure from groups such as OpenDemocracy and Foxglove the UK government has released its data sharing contracts with companies such as Amazon, Google and Microsoft for the creation of a cloud database for sharing covid-19 related data. Contracts with AI firms Planatir and Faculty were also released.

This promotes transparency and accountability around efforts to establish contract tracing technology and centralised databases to combat covid-19. The potential access to high volumes of healthcare data via these databases merits high levels of scrutiny under privacy and data protection laws. However, groups such as openDemocracy raised concerns around sharing high volumes of NHS data and the risk posed by significant third party exposure. In particular, it criticized the credibility of AI firms Planatir and Faculty.

In a recent press release from openDemocracy the contracts were made public:

View Google NHS agreements (PDF, 0.7 MB)

View Faculty NHS agreements (PDF, 0.9 MB)

View Palantir NHS agreements (PDF, 11.6 MB)

View Microsoft NHS agreements (PDF, 1.5 MB)

NHS England has also released the Data Protection Impact Assessment which was undertaken prior to forming a centralised data storage facility for covid-19 related data. This database holds data ranging from regional infection maps to 911 call data and bed capacities.

The NHS uses a ‘cloud first’ approach to ensuring that data is leveraged most effectively. All data is collated in a cloud database allowing for security and accessibility.

Google and healthcare provider Ascension collaboration raises privacy concerns

blue and silver stetoscopeGoogle Cloud has been providing Ascension, the second biggest healthcare provider in the US, with cloud infrastructure services since July 2019. Providing software services to healthcare providers to facilitate the secure management of patient data is not uncommon for Google. The services Ascension are taking are similarly commonplace- the migration of data to Google Cloud, utilizing suite productivity tools and providing technological tools to Ascension’s doctors for use. What perhaps is the defining factor is the scale, with this being the largest project of its kind to date – managing data of over 50 million Americans. This was dubbed “Project Nightingale”.

Continue reading

Citation: The Guardian: Google and Facebook to investigate the targeting of micro-political ads

The Guardian has an excellent piece on recent moves by Facebook and Google in seeking to ban micro-targeting political ads.

The practice, which underpins the Cambridge Analytica scandal, is being reviewed by the news providers. The harvesting of political oriented data is common and is usually undertaken as part of an effort to profile users.

Facebook has been known to group users for the purposes of ads-targeting, some of which considers political interests. This allows for nuanced and in many cases, an alarming degree of differentiation and influence of users.  The US legislatures have taken issue with this approach in the past.

The ICO has recently reached an agreement with Facebook over the fines put in place over the Cambridge Analytica scandal. The regulator continues work into data misuse in political advertising, to which the issue of micro-targeting of political ads is central.

£3billion class action against Google given the go-ahead – Lloyd v Google LLC [2019] EWCA Civ 1599

Mr Lloyd, a consumer protection advocate, brought a claim against Google for damages on behalf of 4m Apple iPhone users. It was alleged that Google secretly tracked some of their internet activity for commercial purposes between 9 August 2011 and 15 February 2012. Continue reading

The right to be forgotten does not apply to search engine results globally

On 24 September 2019 the European Court of Justice (“ECJ”) handed down judgment in the case of Google v CNIL C-507/17. The effect of the case was that right to be forgotten requests only need be applied to domain names of Member States and not extra-territorially globally. The case, therefore, has implications for the processing and effectiveness of the right to be forgotten requests, particularly for requestors who seek de-listing of search results from multiple non-EU jurisdictions. Notably, the administrative burden upon search engine operators has been limited by the ruling.light smartphone macbook mockup Continue reading

Revisiting the right to be forgotten, the NT1 and NT2 case

The right to be forgotten or right to erasure under data protection legislation and enshrined from the Google Spain case allows significant protection of information regarding the individual. In this post, we consider the seminal case of NT1 and NT2 which is illustrative of this fact. Continue reading