Category Archives: Databases

Big data, big policy decisions

First of all, thanks to the many readers who have commented on the last posting on this blog, which ruminated on its future. Your comments were very helpful (and also very kind). IP Draughts has not yet taken any major decision, and for the time being will continue as before.

Today’s theme is “big data” and the policy decisions that accompany it (not them, please!).

IP Draughts has come across this subject in several contexts recently. There is health data, such as that held by the UK National Health Service (NHS) about its patients. Several of our clients have been involved in licensing-in or licensing-out such data, whether as a hospital, university or start-up technology company. These activities can raise some significant data protection issues, but fortunately several members of our team have become very familiar with this area of law, including Francis Davey and Stephen Brett.

On the public stage, there have been well-publicised initiatives to mine such data. Lord Drayson recently raised £60 million from investors on the AIM market, for his company, Sensyne Health, which has entered into agreements with several NHS Trusts. He is reported as saying:

The NHS has a “responsibility to society” to make money out of patient data rather than allowing the profits to be captured by US technology companies…

[there is] an “ethical imperative” to use anonymised data to improve care.

The national focus on big data is not confined to the health field. So-called geospatial data is also under the spotlight. In last Autumn’s Budget, the UK’s Chancellor of the Exchequer announced the formation of a Geospatial Commission, which would “maximise the value of all UK government data linked to location, and to create jobs and growth in a modern economy.” More recently, the government has declared:

From emergency services, transport planning, and 5G networks, to housing, smarter cities and drones – the UK’s geospatial infrastructure has the potential to revolutionise the UK’s economy.

The government is currently recruiting for members of this commission and for the civil servants that will support them. The commission will set a strategy for commercialisation of the nation’s geospatial data, working with the main agencies that currently hold the data, including the Ordnance Survey and the Land Registry.

National initiatives spawn national policies and codes of practice. Where personal data is involved, and where the custodian of the data is a public body such as the NHS, documents of this kind are perhaps inevitable. The latest one to cross IP Draughts’ desk is called “Initial code of conduct for data-driven health and care technology“. It sets out “10 key principles for safe and effective digital innovations, and 5 commitments from the government to ensure that the health and care system is ready and able to adopt new and innovative technology at scale.” The document’s introduction explains the government’s underlying thinking:

Today we have some truly remarkable data-driven innovations, apps, clinical decision support tools supported by intelligent algorithms, and the widespread adoption of electronic health records. In parallel, we are seeing advancements in technology and, in particular, artificial intelligence (AI) techniques. AI is being used on this data to develop novel insights, tools to help improve operational efficiency and machine learning driven algorithms, and clinical decision support tools to provide better and safer care.

This presents a great opportunity, but these techniques are reliant on the use of data that the NHS and central government have strong duties to steward responsibly. Data-driven technologies must be harnessed in a safe, evidenced and transparent way. We must engage with patients and the public on how to do this in a way that maintains trust.

AI, AI, Oh!

The 10 principles are not particularly surprising or radical for anyone familiar with GDPR and government policy generally; what is noteworthy is that the principles have been brought together and published for the circumstances of big health data. They are explained in more detail in the document itself, but the headings are:

  1. Define the user
  2. Define the value proposition
  3. Be fair, transparent and accountable about what data you are using
  4. Use data that is proportionate to the identified user need (data minimisation principle of GDPR)
  5. Make use of open standards
  6. Be transparent to the limitations of the data used and algorithms deployed
  7. Make security integral to the design
  8. Define the commercial strategy
  9. Show evidence of effectiveness for the intended use
  10. Show what type of algorithm you are building, the evidence base for choosing that algorithm, how you plan to monitor its performance on an ongoing basis and how you are validating performance of the algorithm

The possibilities of big data, artificial intelligence (AI) and algorithms seem to have captured the attention of the UK government. These developments should mean more work for IP and IT lawyers and for technology transfer managers –  and help to offset the likely negative effects for this part of the UK economy that will result from Brexit.

1 Comment

Filed under Databases, Legal policy

Blast from the past: is software ‘goods’?

Back in the 1980s, when brightly-coloured tracksuits were in fashion, IP Draughts took a part-time course in IT law at Queen Mary University. One of the subjects that he earnestly studied was whether the supply of software amounted to a sale of goods, for the purposes of the Sale of Goods Act 1979.

He was convinced that it didn’t amount to a sale of goods, and he carried this conviction with him into the 1990s, when he wrote his first book, Technology: the Law of Exploitation and Transfer (Butterworths, 1996). The third edition of that work, now called simply Technology Transfer (Bloomsbury, 2010), discusses at pages 461-466 the legal issues involved in this question, and in the related question of whether the sale of a patent could amount to a sale of goods. The discussion briefly mentions the 1995 case of St Albans District Council v ICL, in which the Court of Appeal considered (obiter) that the answer to this question might depend on whether the software was supplied on a disk.

IP Draughts has long felt that this is a ridiculous distinction to make, as the nature of software is not changed by the medium or method by which it is supplied. The value in the software depends on the electronic content, not the piece of plastic on which it is, or not, delivered. However, as mentioned below, this is a distinction that the courts have used to justify their decisions in subsequent cases.

The fourth edition of that book is now being written, and will mention a new case that continues the judicial debate on this subject. The Court of Appeal case of Computer Associates UK Ltd v The Software Incubator Ltd [2018] EWCA Civ 518, appeared on the BAILII website last week. The main question to be decided was whether, for the purposes of EU law on commercial agents, the supply of software (typically by download over the internet) amounted to a sale of goods.

At first instance, His Honour Judge Waksman QC had decided that it did amount to a sale of goods. In the Court of Appeal, Gloster LJ, giving a judgment with which her fellow judges agreed, decided that it did not.

Gloster LJ’s judgment considers certain English, EU and other case law in this field, including the St Albans District Council case. IP Draughts has a great deal of sympathy with Gloster LJ’s comment, at paragraph 45 that:

…I am somewhat uncomfortable with a conclusion that the tangible/intangible distinction leads to a construction of “goods” that excludes the Software, which seems artificial in the modern age. However, I consider this to be justified given the commercial context and notwithstanding the superficial attraction of the respondent’s arguments, which I next consider.

After considering the arguments and case law in further detail, including the fact that the Consumer Rights Act 2015 introduced a new concept of supplying “digital content”, she reaches the following conclusion:

I conclude that the judge was wrong in law in holding that the Software, which was supplied to CA’s customers electronically and not on any tangible medium, constitutes “goods” within the meaning of Regulation 2(1). I would therefore allow the appeal on this issue.

Hurrah!

 

 

 

Leave a comment

Filed under Databases, Intellectual Property, Licensing

Data consents: lets get granular

T201802 Sugar adhis blogger has previously discussed some of the difficulties in relying on consent as a justification for lawful processing under GDPR, but these difficulties bear closer examination.  First, the basics.  Then some thoughts on the use of consent in the research world and whether it is always needed.

The basics

Consent is one of the six lawful bases that justify the processing of personal data.  To be adequate, consent must be a freely given, specific, informed and unambiguous indication of the individual’s wishes by a statement or clear affirmative action – granular is the word the regulators use.  It is not silence or a pre-ticked opt-in box.  It is not a blanket acceptance of a set of terms and conditions that include privacy provisions.  It can be ‘by electronic means’ – it could be a motion such as a swipe across a screen.  But, where special category data (sensitive data such as health data) are processed and explicit consent is needed, this will be by way of a written statement.

The data controller must be able to demonstrate consent.   This goes to accountability – the controller is responsible for demonstrating compliance across the piece although GDPR does not mandate any particular method.

Consent must be requested in an intelligible and easily accessible form and must be clearly distinguishable from other matters.  The request cannot be bundled up and appear simply as one part of a wider set of terms.  When the processing has multiple purposes, consent should be given for each of them – granularity again.  Conflated purposes remove freedom of choice.

Consent must be freely given.  It must be a real choice.  Employers will always find it hard to show that their employees have consented freely, for example.  The choice needs to be informed.  Without information, any choice is illusory (the transparency principle).  As a minimum, the informed individual would need to know: the controller’s identity; the purpose of the processing; the data to be collected and used; and, that consent can be withdrawn.

It must be as easy to withdraw consent as it was to give it.  This doesn’t necessarily mean that withdrawal must be by the same action (swipe to consent and withdraw) but rather that withdrawal must be by the same interface (consent via the website, withdraw via the website).  After all, switching to another interface would involve ‘undue effort’ for the individual.  If consent is withdrawn, the individual must not suffer any detriment.

With pleasing circularity, demonstrating that withdrawal carries no cost and no detriment (meaning no significant negative consequences) helps to demonstrate that the consent itself has been freely given.

Consent in research world

Getting granular consent (meaning consent specific to a given purpose) can be repetitive.  Bundling up different consents in one is not allowed so multiple purposes make for long lists of consents and the risk of consenting fatigue.  Other lawful bases may be more convenient and consent should not be the default or unthinking route for controllers.  Aside from the high threshold for adequate consent, the GDPR’s transparency agenda means that there is a strong argument that if consent is given as the lawful basis at the outset there can be no substitution of a different legal basis if consent is withdrawn.

Getting granular consent can be difficult.  GDPR recognises that it may not be possible to fully identify the purpose of scientific research processing at the point of data collection and acknowledges that individuals could consent only to certain areas of research.  GDPR’s principles are relaxed for the benefit of scientific research but they continue to apply.  The purpose of the processing must still be described but it is enough for the research purpose to be ‘well described’ rather than specific.  Transparency is a safeguard where specific consent is not possible.  Research plans should be available.  Consent should be refreshed as the research progresses.

Consent must be freely given.  Does a research participant have a free choice?  Probably yes, if the intended processing is not arbitrary or unusual and if the information provided is adequate and accurate.  An informed refusal to join a clinical trial will not lead to standard treatment being withdrawn so there is no detriment.  But what if the standard treatment is not working?  If the individual has to consent to arbitrary processing of their personal data in order to take what may be their only remaining hope then it is difficult to see that as a free choice.

Consent can be withdrawn.  Researchers have some comfort in that processing that has already been carried out remains legitimate after consent is withdrawn.  But further processing must stop which threatens the ongoing research project, unless the data can be disentangled.  To make matters worse (for the researcher), if there is no other legal basis for holding the data then it may be necessary to delete it – more difficult disentangling, especially if the individual forces deletion through their right to be forgotten.

What can the worried researcher do about the risk of withdrawal?  Anonymise the data and carry on is always a good answer.  Rely on a different legal basis in the first place (and carry on) is another good answer.

Sidestepping the issue by making the consent irrevocable is not a good answer: it would breach the requirement that consent can be withdrawn at any time.

A sneaky lawyer’s answer may be to embrace the requirement that consent must be as easy to withdraw as to give.  If changing formats involves ‘undue effort’ then avoid electronic means and require consent to be in writing.  This answer is not guaranteed by any stretch of the imagination: the data controller is essentially betting that few will bother to put pen to paper to withdraw.

Clearly GDPR consent is a troublesome beastie but there is one strong point in its favour.  Using consent as the legal basis for processing promotes trust.  Repeatedly refreshing that consent as the research progresses reinforces trust.  Trust makes the engagement stronger.  Perhaps the prize of a stronger and more committed and engaged research cohort based on consent is worth it?

Leave a comment

Filed under Databases

New legal superhero (or supervillain) is born: the Motivated Intruder

The man on the Clapham omnibus should not be confused with Hector the Tax Inspector

The man on the Clapham omnibus should not be confused with Hector the Tax Inspector

English law is full of fantastical creatures.  Pride of place goes to the Reasonable Man who is, by all accounts, an ordinary and prudent person, who is bowler-hatted and most commonly found on the Clapham omnibus.

He gets everywhere (he has cousins on the Bondi tram and the Shau Kei Wan tram).  He is free from over-apprehension and from over-confidence.  He provides a neutral standard that assists the bemused lawyer to assess whether or not any particular act is negligent.

Contract lawyers know the Officious Bystander well.  He occasionally interrupts proceedings to suggest terms for inclusion in contracts which are so obvious that they can be implied and do not need to be stated.

The Man on the Bondi Tram retired in 1960.  Mr Pettifog remembers him well.

The Man on the Bondi Tram retired in 1960.

There is the Informed User who is something more than a consumer, knowing a fair bit about the existing design corpus but who is most definitely not an expert in the field.  He helps us to establish the boundaries of individual character in registered designs.  Or there is his close friend from the world of patents, the Person Skilled In The Art (aka the Nerd With No Imagination).  He is widely read in his field but has no imagination.  If he wouldn’t have thought of it, an invention satisfies the requirement of novelty necessary for the grant of a patent.

Less impressive is the Moron In A Hurry.  If two items are so different that they would not confuse even the Moron In A Hurry then there is no confusion and no passing off or trade mark infringement.

IP Draughts confesses that he had not heard of the Man on the Shau Kei Wan Tram

IP Draughts confesses that he had not heard of the Shau Kei Wan Tram

There is now another character to add to the fold: the Motivated Intruder.

The Information Commissioner’s Office highlighted his existence in November 2012, although some sightings date back to 2008.  He (or quite possibly she) has been quietly permeating the vexed topic of effective anonymisation.  This is more interesting than it sounds and currently matters a great deal to academic researchers although I predict it will soon matter just as much to insurance companies.

Old Etonian classics scholar, and Mayor of London, emonstrates the correct use of an omnibus

Old Etonian classics scholar, and Mayor of London, demonstrates the correct use of the masculine dative plural of “omnis”

Under UK law, information about a living and identifiable person can only be processed in accordance with the terms of the Data Protection Act.  To generalise, if you don’t have the individual’s consent (informed and freely given), you can’t use their data.  This is an issue for researchers keen to use the huge repository of data collected by the National Health Service (NHS).  The NHS holds a treasure trove of useful information but it was collected for clinical care purposes, not for research.  Obtaining individual consent permitting personal data to be used for research purposes just isn’t practical.  Cue much gnashing of academic teeth at the wasted opportunity.  But there is hope.  If the data is anonymous, it does not qualify as personal data and the restrictions of the Data Protection Act fall away.

Consent is not necessary in order to perform the act of anonymising personal data.  However, the question that now looms is just how anonymous information has to be to ensure that it is no longer classed as personal data.  The Data Protection Act is concerned with the likelihood of re-identification rather than with the possibility.  It boils down to needing to know whether any given method of anonymisation renders the information so secure that it is not reasonably likely that individuals, even individuals with rare medical conditions living in sparsely populated regions, will be re-identified.

20140318 Ta-DahHow can the researcher be confident that the data has been effectively anonymised and therefore is not personal data?  Enter the Motivated Intruder.

This character has no prior knowledge but wants to identify an individual from an anonymised dataset.  The Motivated Intruder is competent, has access to resources such as the internet and public documents, and, will take all reasonable steps to try to re-identify an individual from the anonymised dataset.  But the Motivated Intruder does not have specialist skills and will not break the law.  He sits somewhere between the inexpert member of the public and the skilled specialist.  If the statistical method used would defeat the Motivated Intruder then the data can be treated as anonymous and used with confidence by the researcher.

Unfortunately, the Motivated Intruder is still a youngster.  There are few examples of his work.  In some cases, it has been enough to defeat the Motivated Intruder to redact certain aspects of the dataset such as the dates and locations of medical incidents.  In others the likelihood of identification was low enough that statistical information relating to same sex adoption and (in a separate case) to school entrance exams was effectively anonymised and could be released.  In another case, the raw data from a clinical trial could not be effectively anonymised and therefore should not be released.  There are questions that remain to be answered: just how hard will the Motivated Intruder try?  What sort of information does the Motivated Intruder care most about?  How much embarrassment or anxiety can the individual who is identified be expected to tolerate?

An earlier sighting

As with the Loch Ness Monster, we need a clearer picture…

As time goes on and the Motivated Intruder is cited (sighted… geddit? Unfortunately, yes. Ed) more often so we will have a clearer picture and so researchers can proceed with greater confidence.

In fact, the Motivated Intruder has the potential to play a starring role in an information debate coming to your screens in the very near future.  The care.data project has been put on ice because of growing public concern that anonymised health data could find its way into the hands of unscrupulous insurance companies who would promptly and easily re-identify it and use it to push our premiums up.  Time to call for the Motivated Intruder to restore public confidence?  Or is it too late for that?  The Motivated Intruder focuses on the likelihood of re-identification.  Public opinion might well be focussed on the possibility of re-identification.

PS IP Draughts is curious to know if there are any other fictional legal characters, not mentioned above, in readers’ jurisdictions.  He wonders whether the woman on the Edinburgh tram could be a candidate. Please let us know via this blog’s comments.

3 Comments

Filed under Confidentiality, Databases