Data Protection News Update 13 November 2023

United Kingdom

Patients may shun new NHS data store over privacy fears, doctors warn

  • The planned creation of the “federated data platform” (FDP) has prompted concerns about privacy and trust in the NHS and suggestions that suspicion around it will lead patients to refuse to share their data.  
  • A £480m contract will be handed to one of several tech companies bidding for the project. 
  • The FDP will bring together huge amounts of patient data currently held separately by NHS trusts and integrated care systems in an attempt to improve officials’ decision-making. It will not involve data held by GPs.  
  • Patients fear their personal information may be misused, especially if the US spy technology company Palantir is awarded the contract.  

Private UK health data donated for medical research shared with insurance companies

  • Despite UK Biobank stating that it strictly guards access to its data and only allows access by bona fide researchers for health related projects, an Observer investigation found  that it opened up its vast biomedical database to insurance sector firms several times between 2020 and 2023.  
  • This data was provided to insurance consultancy and tech firms for projects to create digital tools that help insurers predict a person’s risk of getting a chronic disease.  
  • The database contains millions of blood, saliva and urine samples, collected regularly from about 500,000 adult volunteers, along with medical records, scans, wearable device data and lifestyle information. 
  • The exact nature of the data shared with the insurance industry is not clear because Biobank does not routinely publish this and has declined so far to say.  

United States

New York State Bar Association backs facial recognition limitations 

  • A New York State Bar Association working group is recommending the organization push to change that state’s civil law to prevent entertainment venues from using facial recognition technology to deny customers admissions and also asks them to back legislation allowing consumers to sue private groups who collection biometric information without their consent.  

The NAI Unveils Best Practices for Health Advertising

  • The Network Advertising Initiative (NAI) today released recommended best practices outlining how companies can utilize demographic consumer data for health-related advertising.  
  • The guidance bolsters consumer privacy protections around sensitive consumer health information while also providing effective health advertising.  
  • The NAI is the leading privacy self-regulatory association for the advertising technology industry and believes that it is essential that benefits of health-related advertising are achieved in a manner that protects consumer privacy.  


EU’s AI Act negotiations hit the brakes over foundation models  

  • The AI Act is a landmark bill to regulate Artificial Intelligence following a risk-based approach, which is currently in the last phase of the legislative process. 
  • With the rise of ChatGPT, foundation models have become the sticking point in this late phase of negotiations, with EU policymakers wondering how to best cover this type of AI in the upcoming law.  
  • This proposed Act is at risk after several EU member states objected to the bill’s provisions around generative AI models. 
  • The latest proposal contained a tiered rule system for foundation models that are likely to have greater effects on society. Countries such as France and Germany have been resistant to this after facing pressure from AI companies Mistral and Aleph Alpha.  


Optus loses court bid to keep report into cause of cyber-attack secret

  • Optus lost a bid in the federal court to keep secret a report on the cause of a 2022 cyber-attack, which resulted in the personal information of about 10 million customers being exposed.  
  • The company announced that it had recruited consultancy firm Deloitte to conduct a forensic assessment of what had led to the cyber-attack, arguing in court that the dominant purpose of the report was to assess the legal risk to the company. It claimed that Deloitte’s report would assist the company’s internal and external lawyers on how to advise the company about the risks associated with the hack.  
  • Optus has faced an investigation by the Office of the Australian Information Commissioner (OAIC) and a class action case in federal court.  


More Posts

Send Us A Message