Included in this Data Issues Round Up: ICO rules Google DeepMind NHS app test breached UK data protection law; Plymouth University commits serious data protection breach by leaking staff salaries and ICO fines Basildon Council for disclosing a family's personal data. Find out more...

United Kingdom

ICO rules Google DeepMind NHS app test breached UK data protection law

The ICO has ruled that the Royal Free NHS Foundation Trust did not put adequate measures in place to protect patients' privacy, when sharing data with Google via the "Streams" app.

In the initial stages of testing the app in 2016, the Royal Free shared information on about 1.6 million patients with Google's DeepMind division. Patients' data was used to create a system that helps people to detect when they are in danger of developing severe kidney injuries. The main point that arose was that the hospital did not provide patients with enough information about how their personal data was being used.

Information Commissioner, Elizabeth Denham, highlighted that imaginative use of data needs to be handled carefully, and that: "the price of innovation does not need to be the erosion of fundamental privacy rights".

The ICO decided not to fine the Royal Free, however it has been asked to sign an undertaking committing it to changes to ensure compliance with data protection law. The hospital responded to the investigation positively and stated that it is open to advice on how to use patients' information in the future. The ICO has allowed the Royal Free to continue using the app.

This recent incident may be evidence of the government's continuing efforts to report more data security breaches, following the National Audit Office's (NAO) report published last year. The NAO found that personal data security was breached almost 9,000 times in one year and revealed that only 14 breaches were reported to the Information Commissioner.

As reported by BBC News, please click here for further information.

Plymouth University commits serious data protection breach by leaking staff salaries

Salaries, pension plans and allowances of 245 senior managers at Plymouth University have been leaked. This serious data protection breach occurred in June 2015 when the confidential personal data was sent to an incorrect e-mail address. The affected employees were informed when the breach occurred.

The Information Commissioner's Office (ICO) were made aware of the incident at the time, however, no further action was taken after the recipient assured the ICO that the document had not been distributed and that it had been deleted. The file was forwarded to The Herald from an unknown source.

Guidance on the importance of information security, especially personal data, and suggestions on the types of security measures an organisation should have in place can be found on the ICO's website.

As reported by Plymouth Herald, for further information please click here.

ICO fines Basildon Council for disclosing a family's personal data

Basildon Council has been fined £150,000 for breaching the Data Protection Act 1998. The breach occurred when a council officer published a family's personal information online, in a planning application, from 16 July 2015 until 4 September 2015. The application included the family members' names, ages, home location, medical information and disability requirements.

The ICO stated that the information was published: "due to failings in data protection procedures and training", and dismissed the council's argument that it was unable to redact personal information due to planning law. It was also noted that the council had previously removed personal information from similar documents.

A spokesman for the council has confirmed that: "the council has been given 28 days in which to lodge an appeal against this decision."

Guidance from the ICO in relation to personal data breaches can be found here.

As reported by Sky News, for the full article click here.