A new post on the Covington eHealth blog reports that the UK government is running a consultation around NHS patient data security standards and a new legal framework for secondary uses (e.g. research) of patient data.  To find out more about the proposals and the consultation, please click here.

The UK’s data protection regulator, the Information Commissioner’s Office (“ICO”), has imposed a fine of £350,000 on Prodial Ltd (“Prodial”) for making over 46 million unsolicited automated telephone calls to generate leads in relation to payment protection insurance refunds.  This is the highest fine issued by the ICO to date.
Continue Reading Company Receives Record Fine from UK Regulator For Cold Calling

Industry eagerly awaits further guidance from data protection authorities (“DPAs”) relating to the EU-U.S. Privacy Shield as well as on the validity (or otherwise) of other mechanisms for transfers to the U.S. such as standard contractual clauses (“SCCs”) and binding corporate rules (“BCRs”).  As we explained in recent posts (here and here), publication of an opinion by the Article 29 Working Party, representing, among other things, the EU’s data protection authorities, is a key next step that will shape enforcement and data transfer options for companies in the post-Schrems environment.  Until then, here is a summary of the approach that some of the national DPAs are taking:
Continue Reading EU DPA Enforcement Guidance Post-Schrems

The UK Information Commissioner’s Officer (“ICO”) has issued its largest fine to date in connection with using an automated calling system to make direct marketing calls.  The ICO found that Home Energy & Lifestyle Management Ltd (“HELM”), a green energy company that made millions of automated marketing calls in relation to “free” solar panels, recklessly contravened UK regulations, and fined the company £200,000.
Continue Reading UK ICO Issues Largest Ever Fine In Connection With Automated Marketing Calls

The UK government has announced a new national service providing expert cybersecurity advice to entities within the National Health Service (NHS) and the UK’s broader healthcare system.  The project, called CareCERT (Care Computing Emergency Response Team), is aiming for a full go-live in January 2016. 
Continue Reading UK Government Launches Cybersecurity Service For Healthcare Organizations

The UK Supreme Court has granted Google the right to appeal part of the English and Welsh Court of Appeal’s notable ruling in Google Inc. v. Vidal-Hall & Ors [2015] EWCA Civ 311.

Our previous blog highlighted the facts of the case (brought by Internet users against Google’s ad-tracking practices) and the significant consequences

Dan Cooper and Phil Bradley-Schmieg

On March 27, 2015, the England and Wales Court of Appeal (EWCA) handed down a historic judgment in Google Inc v. Vidal-Hall & Ors [2015] EWCA Civ 311, with significant consequences for organizations handling personal data in, or from, the UK.

This case was brought against Google Inc. by three users of Apple’s Safari web browser.  They argued that over a period of nine months, Google’s DoubleClick and AdSense services secretly tracked their visits to all websites that used Google AdSense to serve advertising, contrary to Google’s public assurances that users who maintained Safari’s default privacy settings would not be tracked or profiled by DoubleClick, or receive personalized advertising.  This, they allege, allowed Google to wrongfully build up a detailed picture of their browsing history from which it could deduce their interests and personal characteristics, and thus serve personalized adverts.  Similar cases have been brought against Google in the United States, leading to a US$22.5 million U.S. Federal Trade Commission fine and a US$17 million settlement with state attorneys general.
Continue Reading English Court of Appeal Decision Significantly Expands UK Privacy Law

Please note that this event, originally scheduled for December 10, is being rescheduled for February 2015 – date TBC

Covington’s London office will be hosting a breakfast seminar for clients on ‘Mitigating Information Loss in the Healthcare Industry: the Insider Threat’ with The Chertoff Group.


Continue Reading Client Event – Cyber Security Series, ‘Mitigating Information Loss in the Healthcare Industry: the Insider Threat’

By Phil Bradley-Schmieg

The UK Information Commissioner’s Office (ICO) has launched an informal survey of current practices relating to the use of data-enabled medical devices and apps.

The short and anonymous survey explores whether organisations have put in place specific policies and procedures, asset registers, IT security requirements for medical device procurement policies, information governance and incident response processes, and an “end of life” policy for defunct/decommissioned devices.

It also asks high-level questions about the technology being used, such as whether the devices can connect to the Internet, and about the use of medical apps, mobile phones, tablets and dictaphones.


Continue Reading UK Data Protection Regulator Surveys Use of Smart Medical Devices

By Tom Jackson and Phil Bradley-Schmieg

A cross-party group of UK Members of Parliament (“MPs”) is seeking to amend the UK’s ‘freedom of information’ regime under the Freedom of Information Act 2000 (“FOIA”) to also cover current and prospective private sector suppliers to the National Health Service (“NHS”) in England and Wales.

The Freedom of Information (Amendment) Bill (HC Bill 84) (the “Bill”) was introduced in the House of Commons on September 1, 2014, and was first published on October 28, 2014.  It was submitted by Labour MP Grahame Morris, with the support of a cross-party group of MPs from the Labour, Liberal Democrat, Conservative and Green parties.

If the Bill is enacted, it would place current and prospective suppliers of services to the NHS under significant transparency obligations in relation to:

  • bids, contracts, and service performance for the NHS in England and Wales, and
  • penalties relating to healthcare services imposed on the company, its officers, employees, affiliates or partners during the past five years, anywhere in the world.

This post provides a high-level look at these proposals.


Continue Reading UK Parliamentarians Seek FOI Changes To Force Private Sector Suppliers To Disclose NHS Contract Details