| From the press release > We aim to help organisations comply with PECR and promote good practice by offering advice and guidance. We will take enforcement action against organisations that persistently ignore their obligations. I don't think that the first step they typically seem to take then is punishment, but steps to bring whatever it is the company is doing back in line with the regulations. The trust is required to: > establish a proper legal basis under the Data Protection Act for the Google DeepMind project and for any future trials; > set out how it will comply with its duty of confidence to patients in any future trial involving personal data; > complete a privacy impact assessment, including specific steps to ensure transparency; and > commission an audit of the trial, the results of which will be shared with the Information Commissioner, and which the Commissioner will have the right to publish as she sees appropriate. edit - ICO site https://ico.org.uk/about-the-ico/news-and-events/news-and-bl... Edit - some more details about the case > In terms of the technical security of the dataset, it is understood that the data is
subject to encryption at rest and whilst in transit. It is also understood that the
Royal Free has received confirmation from the appropriate body that approval had
been obtained for the Logical Connection Architecture for the transfer of data, and
that the hosting location has been confirmed as compliant with two relevant
Information Security Standards2
. On this basis, the Commissioner accepts that
there is no current evidence that the data has or will be at risk of processing by
an unauthorised third party. > - It is further understood that all access to raw patient-identifiable data by
DeepMind staff as part of the system administration is carefully logged in
an audit trail, and is only carried out under the instruction of the Royal Free
as part of the data processing. The ICO would like to make it clear that for
as long as the data remains in DeepMindās or indeed any third parties
possession, appropriate audit trails, logs and restrictive access provisions
should be in place; https://ico.org.uk/media/action-weve-taken/undertakings/2014... I think the level of the breaches, security of the data and how far things have been taken beyond what is legal make a big difference in what they've decided. |