Google has started to remove private medical information from search results, after amending its policy regarding personal information.
The addition of “confidential, personal medical records of private people” to the company’s removal policy was made last week, the Guardian reports.
Google is known for attempting to resist censorship, and private medical information becomes only the fifth category of personal information on the company’s removal policy. It joins national identification numbers, bank and credit account numbers, images of signatures and so-called revenge porn.
Google’s decision to remove requests for medical records comes amid growing concerns about the damage that leaked medical records can have on victims. Medical records are often targeted by criminals, as they often contain names, dates of birth and home addresses. However, Google’s removal policy states that the company won’t usually remove this information in itself. Rather, when that information appears alongside medical records, it can be particularly harmful.
In December, an Indian pathology lab uploaded more than 43,000 patient records – including HIV blood test results – on to the Internet. Similarly, an Uber executive was fired earlier this month for obtaining the medical records of a customer who had reportedly been raped during a ride.
In both cases, the information was left publicly accessible and, as such, searchable on Google. However, under the search engine’s new policy, this information would not have appeared. Given that Google is “the gateway to the internet” for many people, as the Guardian writes, information that’s removed from the site’s search results is “effectively scrub[bed] from the internet”.
The Guardian continues: “While the information will still be accessible via other search engines or directly, other associated actions including the [EU General Data Protection Regulation’s] right to be forgotten have seen being removed from Google’s search results as good enough to affect change”.
Learn more about the GDPR
The right to be forgotten is just one of many new requirements that organisations will have to comply with when the GDPR comes into force next year. With much stronger penalties for non-compliance – including the handling of sensitive data such as medical records – all organisations should be reviewing what personal data they store and how they process it. Should an organisation be found responsible for a data breach, it could face a fine of up to €20 million or 4% of its annual global turnover – whichever is greater.
To get a full picture of the GDPR, we recommend reading EU GDPR – A Pocket Guide. Written by Alan Calder, IT Governance’s founder and executive chairman, the guide provides an introduction to the GDPR, explaining the terms used in the Regulation and the compliance requirements you need to meet.