Data Compliant’s Weekly Roundup: NHS Trust breaches DPA, Wetherspoons delete entire customer database, & more

The ICO censures NHS Trust for breaching data protection law

In light of the Royal Free NHS Trust’s mishandling of 1.6 million patients’ information for research and innovation purposes, the Information Commissioner’s Office (ICO) has asked the Trust to sign a four-point undertaking to ensure future compliance with data protection law. This requires  them to:

  • establish a proper legal basis under the Data Protection Act for the Google DeepMind project and for any future trials;
  • set out how it will comply with its duty of confidence to patients in any future trial involving personal data;
  • complete a privacy impact assessment, including specific steps to ensure transparency
  • commission an audit of the trial, the results of which will be shared with the Information Commissioner

The Royal Free worked with ‘DeepMind,’ Google’s recently acquired artificial intelligence technology, to develop an ‘alert, detection and diagnosis system.’ The hospital provided details of 1.6 million patients to the DeepMind division with a view to creating an app called ‘Streams’ that helps doctors detect patients at risk of acute kidney injury (AKI). The patients had not given their consent to this, and indeed did not know that their information was being shared in this way.

DeepMind is a sophisticated artificial intelligence program that offers ‘self-taught AI software’ to process and find solutions to projects that would otherwise require massive amounts of human learning and labour.

Elizabeth Denham, the Information Commissioner, stated:

“There’s no doubt the huge potential that creative use of data could have on patient care and clinical improvements, but the price of innovation does not need to be the erosion of fundamental privacy rights.”

Wetherspoons notifies email subscribers that they will be ceasing email correspondence

In a measure anticipating the General Data Protection Regulations (GDPR) coming into force next year, the popular pub chain J. D. Wetherspoons will be deleting their entire customer email database.

This may also be in response to a data breach in 2015 in which over 650,000 of the company’s customer email addresses were affected.

This ‘unexpected’ news came as Wetherspoons customers received an email on the 23rd last month explaining:

“I’m writing to inform you that we will no longer be sending our monthly customer newsletters by e-mail.

Many companies use e-mail to promote themselves, but we don’t want to take this approach – which many consider intrusive.

Our database of customers’ email addresses, including yours, will be securely deleted.”

We reported on this blog last month the fines that the ICO issued for illegal marketing offences made by Morrison’s, Flybe and Honda. It would seem that these high-profile cases are beginning to influence major companies in how they deal not only with the imminent tightening of regulations under the GDPR, but also increasing public awareness surrounding data protection law.

It has been reported by the NCC Group that fines from the ICO in 2016 would be £69m instead of the actual £880,500, if the GDPR had been in force. This would explain Wetherspoons decision.

A Wetherspoons spokesperson told

“We felt, on balance, that we would rather not hold even email addresses for customers. The less customer information we have, which now is almost none, then the less risk associated with data.”

The Government Digital Service (GDS) makes users change passwords after security breach

The DGS website, which allows registered users to find data published by government departments and agencies; public bodies and authorities, has asked its users to change their passwords after a publicly accessible database of usernames and emails had been discovered during a security scan.

The Information Commissioner’s Office has been notified but is yet to make an official statement on the matter.

A GDS spokeswoman told the BBC that only accounts were compromised, not accounts associated with any other government website. She continued to explain that only email addresses, usernames and ‘hashed’ passwords, i.e. passwords that have been scrambled, not personal information such as names and addresses, had become accessible. Scrambled passwords are not as useful to cyber-criminals.

However, as a precaution, registered users will have to change their password when they next try to log in and were advised to change their password for other websites or services if it is the same as the one they used for the site.

There is no evidence yet to suggest that this breach has been exploited in any way.

Cyber-criminals often send emails to victims of a data breach, masquerading as service emails, in order to tease out more information, so web users ought to be careful in these circumstances and look out for phishing emails in their inboxes.

The ICO announces fines issued to 13 charities for failing to follow data protection rules

The ICO announced this week fines that the authority issued in April after a series of investigations taking place since 2015 uncovered 13 charities’ misuse of personal information.

The ICO’s online statement highlights fines ranging from £6,000 for Oxfam for processing information about people that had not been consensually provided, to £18,000 for the International Fund for Animal Welfare for numerous breaches of data protection law, including the sharing of donor information with other charities.

Government department changes name: DCMS becomes DDCMS

The government has announced that the former Department for Culture, Media and Sport (DCMS) will now be the Department for Digital, Culture, Media and Sport (DDCMS). This reflects the government’s commitment to preparing for an increasingly digitalised world.

However, the department will still be known as the DCMS in all communications.

A government statement outlines the change:

“In a move that acknowledges the way the Department’s remit has evolved, the Prime Minister and Culture Secretary Karen Bradley have agreed a departmental name change. The Department will continue to be referred to as DCMS in all communications, but is now the department for Digital, Culture, Media and Sport.”



Harry Smithson 7th July 2017






Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s