Taking a sentient human being and throwing them in a cage is a profoundly violent act. I find it troubling that you guys so casually reach for it as a punitive tool, particularly when the subject has neither committed physical violence nor poses such a threat to others. Surely you clever people can think of forms of punishment/deterrence less destructive to both the individual and society as a whole.
Taking a sentient human being and throwing them in a cage is a profoundly violent act. I find it troubling that you guys so casually reach for it as a punitive tool
We aren't reaching for it casually. Some of us consider privacy a fundamental value that must be defended, and regard an attack on our privacy with the same seriousness that we would regard an attack on our physical person.
Which is more of a danger to me, someone who punches me in the face on their drunk night out and gives me a bloody lip and a bit of pain for a few hours, or someone who betrays confidences that may have lifelong implications for my employability, insurance premiums and credit levels, ability to travel freely, and for that matter my self-respect and basic human dignity, before you even get to the kinds of more extreme and very physical dangers that could be posed by invasions of privacy if we consider the lessons of history?
>Some of us consider privacy a fundamental value that must be defended
The severity of a punishment can be tuned separately from the form of punishment. Imprisonment is not appropriate merely by dint of your emotional reaction to the crime itself.
>Which is more of a danger to me...
Sufficient to warrant throwing them in a cage, being brutalized by actually violent criminals, imposing a direct cost burden on society, and also indirectly by depriving society of that individual's productivity?
Financial penalties have a long record of poor influence toward desired, legal behaviour. Further, they tend to simply be, sooner or later, passed on to the customers or clients who in many cases are the original wronged. Those individuals actually responsible for the sanctioned behaviour are not or only weakly punished and perhaps influenced against its repetition.
As an individual, one could well go to prison for such misbehaviour. Corporate and government employment should not serve as an impenetrable shield and dilution of responsibility against such eventuality.
Incarceration is often described as having two goals: Punishment for crimes committed, and mitigation against such crimes. For the latter, both by actual restraint and by aversion to the potential results.
It seems that stronger aversion is needed; we have a systemic problem with recurrence -- often by the same parties -- of this behaviour.
We could debate the relative effectiveness of different forms of penalty, and the relative importance of punishment/deterrent, ongoing protection, and rehabilitation, but I'm not sure this is the forum for it.
However, let me be clear: if the facts in this case really are as I've seen reported, then I have no problem with taking people who did this, throwing them in a cage, and depriving society of their "productivity" for a while. As far as I'm concerned, that kind of productivity is about as welcome as the banking executives who command "competitive compensation packages" for running their organisations into the ground or the politicians who once elected proceed to legislate for the highest bidder.
Poor record keeping is essentially providing blackmail material on thousands, tens of thousands, hundreds of thousands, or occasionally millions of people.
We put blackmailers in to jail, and we should put people who provide enough sensitive material to blackmail an entire city in to jail as well.
What they did is destructive to individual privacy and liberty.
This may be a strange concept to you, but you can commit a crime non-physically. After all, lots of people think bankers should be arrested for having traded bad debt and precipitating the recession.
According to them, they got approval for doing that:
> The alternative was to upload it to the cloud using tools such as Google Storage and use BigQuery to extract data from it. As PA has an existing relationship with Google, we pursued this route (with appropriate approval). This showed that it is possible to get even sensitive data in the cloud and apply proper safeguards.
And what "appropriate approval" was that, exactly?
In general, exporting personal data outside of the EEA requires the explicit notification of the data subject under UK data protection law (among other consequences of the first Principle[1]). Moreover, the rules for even processing sensitive personal information, which includes health-related information, are significantly stronger than the general case.
They should never had been given that data in the first place, of course, and giving it to them should clearly be illegal on the part of whoever disclosed it. If it turns out not to have been, that will be a compelling case for dramatically strengthening the legal data protection and privacy framework in the UK. But I don't see how either the original source or PA Consulting can get around the basic conditions for processing sensitive personal data[2]. In particular, the most likely condition they might appeal to here in the absence of explicit consent reads:
"The processing is necessary for medical purposes, and is undertaken by a health professional or by someone who is subject to an equivalent duty of confidentiality." [Emphasis added]
Even once they had it, that still doesn't give them a free pass on exporting the data outside the EEA without notification (see [3]), or actually processing the data themselves for that matter.
I thought that was why google hosted a lot of stuff in Ireland? So that companies could host EU data there without running afoul of the privacy laws?
I don't think the duty on a company is all that strong - the data has to stay in Europe, on a properly protected computer. Providing you needed a password or equivalent secret to get to the data they are probably okay legally.
Given the NHS is planning to sell poorly anonymized patient records at 10'000 for $10 imminently, I think we are complaining about the wrong problem.
You are wrong about the HES records and about the proposed GP records - there are criminal offences if the data is misused.
> Given the NHS is planning to sell poorly anonymized patient records at 10'000 for $10 imminently,
That's wrong too. It's okay to be against something, but only if you know what that thing actually is. The data would be pseudo anonymous with HSCIC and anonymous outside HSCIC. While there's a possibility of de-anonymisation anyone doing so would be committing a criminal offence.
I don't think the duty on a company is all that strong
You are mistaken. For sensitive personal data, there are much stricter rules on what you can do. Please see the second link I cited before.
Given the NHS is planning to sell poorly anonymized patient records at 10'000 for $10 imminently
Are you referring to care.data? That programme is essentially dead, in the face of massive opposition, and it was even before the current round of disclosures about hospital records already being leaked.
Doesn't the "safe harbor" clause apply to US companies ?
You know, that joke of a clause which says that US companies fit the needs of our data protection law as long as they claim to fit it (and they only have to claim it) ?
Part of the new data protection law that was supposed to be voted in the EU following/during the PRISM scandal was revoking that stupid clause but I'm not sure what happened to that reform.
Safe Harbor avoids some of the issues with exporting data from the EEA at all.
It doesn't cover exporting the data without notifying the subjects appropriately.
It isn't even close to covering exporting sensitive personal data (which is a technical term explicitly including health-related information), for which much stronger rules apply under UK data protection legislation.
This is just crazy. According to the article, this "big data" fits in 27 DVDs, which is roughly 1-2 TB of data. Do you really need Big Query or whatever for this?
According to Wikipedia, DVDs of the largest capacity can hold 17.08 GB of data, but those are rare. If the article is correct about these details, the data could be ~460 GB at most, but is likely less than half of that if the DVDs in question were of normal capacity.
Store the data locally? Easily. Set up the necessary back-end infrastructure to sift, twist, and churn the data efficiently? Now you're talking hiring some people to set up an infrastructure for that... Or you could upload it to Google and use their infrastructure.
They didn't say they had approval from Google. That wouldn't make much sense, you don't really need approval from Google to use BigQuery, you just need to open a Google account and create a new BigQuery project on their Developers Console
PA purchased the commercially available Hospital Episode Statistics data set from the NHS Information Centre (now the Health and Social Care Information Centre). The data set does not contain information linked to specific individuals. The information is held securely in the cloud in accordance with conditions specified and approved by HSCIC.
This new approach to analytics can help the NHS improve patient care. We have been able to identify where services are needed most and to understand previously unseen side effects of drugs and treatments. Our approach protects patient confidentiality and allows insights to be derived at significantly lower cost, and a hundred times faster, than any traditional approach.
HSCIC's statement:
The NHS Information Centre (NHS IC) signed an agreement to share pseudonymised Hospital Episodes Statistics data with PA Consulting in November 2011.
This included Hospital Episode Statistics on Admitted Patient Care (1999/00 to Provisional 2011/12), Outpatient (2003/4 to Provisional 2011/12) and A&E (2007/8 to Provisional 2011/12). This agreement lasted to November 2012 and was amended in December 2012 to extend to November 2015.
The agreement obliged PA Consulting to abide by conditions to protect the confidentiality of the data, including restricting the data to a named list of individuals, a prohibition on sharing any information with risk of identifying individuals and a requirement to destroy the data after the agreement end date.
PA Consulting used a product called Google BigQuery to manipulate the datasets provided and the NHS IC was aware of this. The NHS IC had written confirmation from PA Consulting prior to the agreement being signed that no Google staff would be able to access the data; access continued to be restricted to the individuals named in the data sharing agreement.
That said, I doubt that Google is doing it. More interesting is that this tech appeared two years ago, I thought the world would rush to pick it up and as far as I know no one has!
Surely the people in power should have paid more attention to this before handing the data to a private third party. Those who ignored the problem before it emerged should not be allowed near position of decision for public office.
Rant apart, this seriously raise the question of do we not need to have an alternative (maybe a pan European subsidized, not for profit organization) to Skynet (sorry I meant Google)?
Rant apart, this seriously raise the question of do we not need to have an alternative (maybe a pan European subsidized, not for profit organization) to Skynet (sorry I meant Google)?
The UK already has a program for accrediting and validating cloud providers (called G-Cloud[1]), that classifies services according to their suitability for storing confidential information, and of which Google is already excluded.
If this company used Google anyway, what makes you think they wouldn't have even if there was such organization in place?
Given it is now run by the ex head of Barclays Bank and is the second largest recipient of government contracts in the UK, I wouldn't hold your breath.
If they have permission of government officials then what?
We can hold companies accountable but how do you hold government accountable? In a meaningful way? Certainly we can find a myriad of excuses not to fire an government worker for a mistake I am fine with doing the same for this as well.
The key is to learn from it and put into place processes that stop it from reoccurring. We need to weigh the penalties to the harm caused. Frankly, if no one lost their life or livelihood I don't think seeking the outcome you suggest is warranted.
Frankly, if no one lost their life or livelihood I don't think seeking the outcome you suggest is warranted.
I could not disagree more strongly. A betrayal of public trust on this scale, abusing privileged access to the most sensitive and private of personal data, should be met by severe penalties.
At a minimum the people who actually disclosed the data and the responsible executives at both the original NHS-related source and at PA Consulting should be facing jail time, and the executives barred from holding public office or directing companies for a very long time.
That the company in question should be legally obliterated and that Google should be formally notified and required to completely delete the personal data they are illegally holding should go without saying. If Google refuse to comply then any Google executive who sets foot on European soil should be jailed as well.
It all depends on the value we assign to privacy. My personal opinion is that the handling of patient data should legally be protected somewhere on a scale between banking data and state secrets.
If those kinds of data are mishandled, there _is_ punishment, no matter where you work.
But then I'm culturally biased (we here in Germany seem to be collectively more paranoid about privacy than most other populations).
>If they have permission of government officials then what? //
They wouldn't - without wilful negligence - accept such "permission" from anyone other than a senior official who had in depth knowledge of the necessary requirements of privacy laws. A person in that permission is unlikely to be acting lawfully and is likely to be aware of that - there's no way they should retain a post with responsibility over anything greater than a stapler after that.
To be fair, there are a few grey areas in the law as it currently stands in the UK that might be relevant if we're arguing about government permission. The main one is probably s251 NHS Act 2006, which grants the Secretary of State for Health certain powers to set aside the default confidentiality rules for specific medical purposes. I'm investigating whether those powers are a relevant factor in this case, but so far I've found no verifiable information either way.
>The main one is probably s251 NHS Act 2006, which grants the Secretary of State for Health certain powers to set aside the default confidentiality rules for specific medical purposes. //
Most laws seem to have these SoS exclusion clauses. In this particular case, S.251(1)¹ says
"The Secretary of State may by regulations make such provision for and in connection with requiring or regulating the processing of prescribed patient information for medical purposes as he considers necessary or expedient—
So it's by regulations², ie "rules". Whilst they don't need a new law to be passed they're still a statutory instrument, it's not like this section allows the SoS to just decide by himself.
See for example S.252(2); and S.251(7), quoted here:
"Regulations under this section may not make provision for or in connection with the processing of prescribed patient information in a manner inconsistent with any provision made by or under the Data Protection Act 1998 (c 29)."
PA Consulting definitely think they were in the right here, they attended a recruitment event at my university and told us about how they did this for the NHS using Google tools. I figured they had permission from the NHS or whatever, and they also seemed to have some relationship with Google. My first thought is that this is just an MP looking for attention, but if the NHS genuinely didn't know then I agree it's surely criminal.
It's hard to know from the article just what happened and what data was uploaded.
But, even though they got approval, they may have committed a criminal offence.
This data initiative is really important. They've got to do something to win back trust. Someone has to lose a job and someone has to go to jail (if a crime was committed).
PA Consulting are idiots and everybody who gave them this contract should be fired.
Saying "I didn't know" is no excuse as this is not the first time PA Consulting have lost data!
"The Home Secretary announced on 10 September that the government has terminated its contract with PA Consulting, following the recent high profile data loss
On 19 August PA Consulting formally notified the Home Office of the loss of a data stick containing sensitive information relating to the JTrack system which PA manage under contract to the Home Office
The data on JTrack relates to prisoners and other offenders in England and Wales."
I would strongly support throwing anyone involved in this into jail for a long time as a deterrent against future criminals.
This is just unbelievable.