The issue here doesn't seem to be Google but the NHS providing the data in the first place. So the NHS is to blame. Also, even if the blame was laid on both parties you couldn't punish Google without punishing the NHS - and punishing a publicly funded organisation financially is bad for everyone. It's much more useful to ensure the issue can't happen again.
ICO doesn't have that power. They can prosecute people but only if they've deliberately breached the DPA and that doesn't seem to be the case here. The NHS should definitely hold the people responsible to account though.
So, the system for protection of personal data in the NHS is broken then - if managers can choose to flout the law without any personal repercussions then that law is useless.
IIRC you have to have a license to work with certain types of data, that person/those people need to lose grades to the point they have no controlling decision with respect to personal data. It shouldn't be up to their colleagues whether they get held responsible.
I work in a craft studio and face a large fine - so I'm told - if I reveal personal data, or make that possible ... because perish the thought someone could learn you painted a piece of pottery, but reveal personal health information against patient wishes and nothing happens?
My last sentence stated that the NHS should hold the people who screwed up responsible or fix the broken systems that allowed this to take place. As I said a fine is of no benefit to the public and prosecution would only be used in repeat or intentional breaches of the DPA (which I'm guessing this wasn't). Therefore it's up to the NHS to sort out the problem within their organisation.
>> I work in a craft studio and face a large fine - so I'm told - if I reveal personal data, or make that possible
I'm guessing you're subject to the exact same process the NHS has went through here. The only reason you would be more likely to receive the fine is because it makes sense as you're not funded by the taxpayer. Fining the NHS is in effect fining the taxpayer for breaching the rights of the taxpayer. It's the same reason the police and other public bodies don't often get fined.
Punitive punishment does nothing to stop bad practice from happening. It does make sure that people who make mistakes cover them up.
We especially do not want that in NHS organisations[1] - we want people to freely and openly admit to mistakes made.
[1] I gently dislike it when people say "The NHS" - that's not a thing, and it hasn't existed for many years now. There are 4 NHSs in the UK, and each of those is made up of a bunch of smaller organisations that have little connection to the rest.
In this situation "The NHS" did nothing. One hospital trust made this decision. Many other NHS trusts (and the Caldicott Guardians) were alarmed by the decision.
Both sides in a contract are responsible for them acting according to laws, yes. (one-sided punishment would be unfair though, so I think in this case the requirement for proper follow-up and doing it better next time is good resolution, unless it caused actual damage)
UK regulators take a light touch approach. They ask people to stop doing what they're doing; then if the behaviour continues they take further action.
This has an advantage when action eventually is taken: the offender finds it harder to claim to not know what the law is, or that their behaviour is compliant with law.
> We aim to help organisations comply with PECR and promote good practice by offering advice and guidance. We will take enforcement action against organisations that persistently ignore their obligations.
I don't think that the first step they typically seem to take then is punishment, but steps to bring whatever it is the company is doing back in line with the regulations.
The trust is required to:
> establish a proper legal basis under the Data Protection Act for the Google DeepMind project and for any future trials;
> set out how it will comply with its duty of confidence to patients in any future trial involving personal data;
> complete a privacy impact assessment, including specific steps to ensure transparency; and
> commission an audit of the trial, the results of which will be shared with the Information Commissioner, and which the Commissioner will have the right to publish as she sees appropriate.
> In terms of the technical security of the dataset, it is understood that the data is
subject to encryption at rest and whilst in transit. It is also understood that the
Royal Free has received confirmation from the appropriate body that approval had
been obtained for the Logical Connection Architecture for the transfer of data, and
that the hosting location has been confirmed as compliant with two relevant
Information Security Standards2
. On this basis, the Commissioner accepts that
there is no current evidence that the data has or will be at risk of processing by
an unauthorised third party.
> - It is further understood that all access to raw patient-identifiable data by
DeepMind staff as part of the system administration is carefully logged in
an audit trail, and is only carried out under the instruction of the Royal Free
as part of the data processing. The ICO would like to make it clear that for
as long as the data remains in DeepMindās or indeed any third parties
possession, appropriate audit trails, logs and restrictive access provisions
should be in place;
I think the level of the breaches, security of the data and how far things have been taken beyond what is legal make a big difference in what they've decided.