EU's General Data Protection Regulations (GDPR) in action

Amazon Alexa and NHS partnership could put patient data at risk

Scroll to continue

Amazon-NHS partnership puts data privacy back in the spotlight. 

It’s been impossible to escape the issue of data privacy in the business world in recent times, largely thanks to the EU's General Data Protection Regulations (GDPR), which came into force in 2018.

GDPR compels organisations to prevent data from getting into the wrong hands and ensure that it's obtained through consent. It also places a strong onus on companies to respect the rights of individuals as data owners, such as adhering to requests for access.

Organisations now have to be more careful to not only stay on the right side of the new laws, but also not to be seen to carry out a workaround. The latest organisation to be put under the microscope from data privacy experts is the UK’s very own National Health Service (NHS).

The NHS recently announced a new partnership with Amazon which will allow users to ask for health advice from verified NHS sources using their Alexa device.

Data cannot be stored indefinitely

In criticising the move, Phil Booth, a coordinator at medConfidental, a group which campaigns for confidentiality and consent in health and social care, stopped short of saying that Amazon would be breaking any laws but raised concerns about what it intends to do with the patient conversations.

Above: VUI designer.
Photo by Jan Kolar 

“We know that Amazon automatically creates transcripts to those recordings and at this stage it is unclear if someone deletes the recordings whether the transcript is also deleted,” he told digitalhealth.

“Given that the information we are talking about would be considered sensitive personal data – it indicates mental or physical health – there is very specific and strong protection around that data in the UK through GDPR.”

GDPR states that personal information can only be stored for a set amount of time – not indefinitely – and only for specific uses.

‘We take privacy seriously’

When asked about privacy and the NHS partnership, an Amazon spokeswoman reassured patients that “customer trust is of utmost importance, and Amazon take privacy seriously,” and the company is not building health profiles, nor will information be shared with third parties.

However, the spokeswoman didn’t divulge on whether Amazon will be storing the conversations borne out of the partnership.  

Writing for digitalhealth, cybersecurity columnist Davey Winder was unequivocal on the matter.  “Amazon will be [storing NHS queries],” he writes. “As soon as the Alexa wake up word is heard, your Amazon device begins recording audio and transmitting that to the Amazon cloud.”

Amazon claims it does so to improve users’ experience with Alexa. But, as Winder points out, “things can go very wrong even with the best intentions in the world”.

It’s perhaps that last point that businesses should take away from this contentious issue. If data were end up in the wrong hands, the organisation responsible for handling it faces serious disciplinary action.

The maximum fine under the GDPR is up to 4% of annual global turnover or €20 million – whichever is greater – for organisations that infringe its requirements. While not all data protection infringements will lead to fines, businesses also have to factor in the potential loss of customers and reputational losses if it’s seen to be not treating data with due diligence.

Are you sure you want to remove this article from your library?