The first step to data privacy is simple common sense

We are deluged with regulation, legislation and opinion on data protection and privacy these days, in a digital world where personal data is proliferating almost beyond control.

Enterprises are dedicating significant resources to preparation for the EU’s General Data Protection Regulation (GDPR), due to come into force in May 2018. It’s a hot topic in corporations and government; mentioned in any discussion around the internet and smartphones. You would think it’s impossible for any executive not to consider the privacy implications of decisions they make that affect the personal data they store about customers. You’d think…

But once more, we have a justified furore around a tech company, its client, and their lackadaisical attitude towards personal information. In the latest case, the Royal Free Hospital has been found to have broken data protection laws in an agreement that allowed access to 1.6 million healthcare records for Google’s DeepMind artificial intelligence subsidiary.

The information commissioner, Elizabeth Denham, got right to the point in saying, “The price of innovation does not need to be the erosion of fundamental privacy rights”.

Nobody would disagree that better use of medical data can help bring innovative new technologies to the benefit of patient care, but organisations can’t forget that the data they’re using doesn’t belong to them – it’s ours.

Royal Free and DeepMind issued suitable mea culpas, and stood behind legalese about the deal they had reached.

But at no time, so it seems, did anyone involved simply ask themselves, “How would a patient feel if they knew we were doing this with their data?” Applying simple common sense and human empathy would surely tell companies whether what they’re doing is right – before they get the lawyers involved to tell them if it’s also legal.

Without wishing to pick on the NHS, it does have form here. The controversial and now scrapped scheme to upload patient records from GPs to be used by medical researchers and pharmaceutical companies collapsed in 2016 after an outcry about public consent.

The lack of common sense shown in put back a genuinely beneficial use of medical data for years. Few people would argue against the likely positives for developing new medicines and treatments. But the scheme was run with so little consideration for the privacy and consent of people’s most sensitive data, that a backlash was inevitable.

It’s difficult to legislate for common sense, but in the increasingly controversial area of how our personal data can be used by companies and governments, it’s an attribute that needs to be applied at the start of every conversation.