The Royal Free NHS trust failed to comply with the Data Protection Act when it gave patient information to Google DeepMind, the Information Commissioner’s Office has found.
The Royal Free and DeepMind started working together in 2016 on an app that would use patient data to help clinicians monitor patients with acute kidney injury (AKI). The Royal Free provided DeepMind with 1.6 million pieces of patient data as part of a trial to alert clinicians of those at risk of AKI.
The deal was criticised due to the lack of transparency over the use of patient data, most of which was handed over to DeepMind without explicit or implied consent.
An ICO investigation has now found several shortcomings in how the data was handled. ICO indicate that patients were not adequately informed that their data would be used as part of the test.
The Royal Free trust has signed an undertaking to ensure it is acting in line with the law.
Elizabeth Denham, Information Commissioner, said:”There’s no doubt the huge potential that creative use of data could have on patient care and clinical improvements, but the price of innovation does not need to be the erosion of fundamental privacy rights.
“Our investigation found a number of shortcomings in the way patient records were shared for this trial. Patients would not have reasonably expected their information to have been used in this way, and the Trust could and should have been far more transparent with patients as to what was happening.
“We’ve asked the Trust to commit to making changes that will address those shortcomings, and their co-operation is welcome. The Data Protection Act is not a barrier to innovation, but it does need to be considered wherever people’s data is being used.”
After the investigation the trust was asked to establish a proper legal basis under the Data Protection Act for the Google DeepMind project and other future trials; set out how it will with its duty of confidence to patients in any future trial involving personal data; complete a privacy impact assessment, including specific steps to ensure transparency and commission an audit of the trial, the results of which will be shared with the Information Commissioner, and which the Commissioner will have the right to publish as she sees appropriate.
The letter outlining the conclusions of the ICO’s investigation can be viewed here.