As the technological and information age accelerates, we are likely to see more sharing of data between public bodies and companies in the UK. In this article, Ryan Dunleavy and Francesca Bugg of our specialist Media Disputes team look at the increasing overlap in data processing by state and corporate entities.
Learning Records Service
Sometimes the sharing of data between public bodies and companies is accidental, and can have disastrous results. A few days ago, for instance, the Department for Education referred itself to the UK’s data privacy regulator, the Information Commissioner’s Office (“ICO”), over revelations that a database containing the personal data of about 28 million children was made available to companies that work in the gambling industry. Betting companies used the data to try to increase the amount of young people who are gambling online. The breach of the Learning Records Service was exposed by an investigation by Britain’s Sunday Times newspaper.
UK NHS and US Amazon Collaboration
At other times, public bodies are deliberately sharing the general public’s data with companies. By way of example, the British Department of Health and Social Care has entered into agreements with US-based Amazon, the technology company that is one of the FAANGs, ie, Facebook, Apple, Amazon, Netflix and Google.
The UK government announced the arrangement in July 2019, but only recently released redacted copies of its licensing documents with Amazon, following freedom of information act requests by the media and others, such as privacy organisation Privacy International. The agreements date back to December 2018. Copies of those legal documents can be found here. A statement on the government’s website says of the licensing documents that they are “about using content from the [UK’s National Health Service] website to provide reliable and informative answers to basic health questions asked to Amazon’s virtual assistant voice service, Alexa.”
This agreement with Amazon was heralded as a world first, and in many ways it is a helpful advance in health technology.
The idea behind this agreement with Amazon is that it allows those with difficulty searching for health advice on the internet (eg, elderly people, blind people and other patients who cannot easily search for health advice online) access to NHS information via Amazon’s Alexa, the artificial intelligence powered voice assistant. This will be convenient, fast and simple to use for patients. The information will also be limited in scope. Alexa will provide answers to questions such as “Alexa, how long can a migraine last?” by using information from the NHS website.
For the NHS, the service will reduce the pressures on it. Further plans are afoot for other technology companies to work with the NHS. Matthew Gould, the Chief Executive Officer of NHSX, a government unit established last year to drive digital transformation and lead policy, implementation and change, said:
“By working closely with Amazon and other tech companies, big and small, we can ensure that the millions of users looking for health information every day can get simple, validated advice at the touch of a button or voice command. Part of our mission at NHSX is to give citizens the tools to access services and information directly, and partnerships such as this are an important part of achieving this.”
Initiatives by public bodies to use technology companies to process some of their information, however, are open to criticism in relation to privacy, confidentiality and data protection issues. Many people and organisations have an inherent distrust of some technology companies when it comes to processing their information. Amazon is not immune from such concerns. Rumblings about its data privacy systems are to some extent justified by what has happened in the past.
For instance, in relation to Amazon and Alexa, last year Bloomberg reported that contrary to the widely held belief that the Alexa system was solely automated and processed by AI, Amazon workers were listening to what some people said to Alexa.
There is also a level of opacity for the public over what, if any, records of Alexa conversations are generally kept.
Amazon has also been affected by significant data breaches. For instance, in November 2018, the month before its licensing deal was agreed with the NHS, it was reported that Amazon suffered a major data breach that caused customer names and email addresses to be disclosed on its website.
California Class Action against Amazon
And, a class action lawsuit was filed in California a few weeks ago against Ring LLC and Amazon.com, Inc. in relation to a hacker who allegedly contacted a man’s children through an Amazon Ring home security device. Amazon purchased Ring in 2018.
Nevertheless, in terms of the security of Amazon’s system, the NHS has said:
“We have worked with the Amazon team to ensure that we can be totally confident that Amazon is not sharing any of this information with third parties. Amazon has been very clear that it is not selling products or making product recommendations based on this health information, nor is it building a health profile on customers. All information is treated with high confidentiality. Amazon restricts access through multi-factor authentication, services are all encrypted, and regular audits run on their control environment to protect it. As has been observed by some journalists, this isn’t dissimilar to general search, but by voice, so some of the concerns about privacy and commercialisation are the same as those that apply to all search providers.”
Limitation of Liability Clause: The NHS and Amazon
In terms of Amazon’s contracted data privacy requirements towards the NHS, the above statement should be read in the context of clause 7 of the Master Content License Agreement between Amazon and the NHS however, which was released in redacted form but from what can be seen does state:
“Limitation of Liability. [redacted] … in no event will (a) either party be liable for any loss of data… however caused and regardless of theory of liability or (b) either party’s liability for direct damages under this Agreement exceed [redacted]… ”
In the UK, and almost certainly abroad, we can expect to see a greater overlap in the processing of state and corporate sector data over the coming years, via NHS and other government-controlled bodies’ partnerships with technology companies.
Most public bodies were set-up partly to handle highly confidential and private information about the general public that they serve, including records relating to health, criminal activities and child abuse. It is questionable from a data privacy perspective whether in the future the best way to process this type of information in a secure way will be through commercially driven, private sector, multinational technology companies.
You can find further information regarding our expertise, experience and team on our Media Disputes page.
Subscribe – In order to receive our news straight to your inbox, subscribe here. Our newsletters are sent no more than once a month.