The Information Commissioner’s Office (ICO) has found that Google’s DeepMind partnership with the Royal Free NHS Foundation Trust “failed to comply with the Data Protection Act”.
As part of the trial to test an alert, diagnosis and detection system for acute kidney injury (AKI), Google DeepMind received the details of approximately 1.6 million patients.
A year-long investigation by ICO, the national data protection watchdog, found a series of issues in the way in which the data was handled, including that patients were inadequately informed about their data being used as part of the trial.
Elizabeth Denham, information commissioner, commented on the findings: “There’s no doubt the huge potential that creative use of data could have on patient care and clinical improvements, but the price of innovation does not need to be the erosion of fundamental privacy rights.
“Our investigation found a number of shortcomings in the way patient records were shared for this trial. Patients would not have reasonably expected their information to have been used in this way, and the Trust could and should have been far more transparent with patients as to what was happening.
“We’ve asked the Trust to commit to making changes that will address those shortcomings, and their co-operation is welcome. The Data Protection Act is not a barrier to innovation, but it does need to be considered wherever people’s data is being used.”
As a result, the ICO has asked the Trust to sign an undertaking as proof that it will commit several changes, including:
- establishing a proper legal basis under the Data Protection Act for the Google DeepMind project and for any future trials;
- setting out how it will comply with its duty of confidence to patients in any future trial involving personal data;
- completing a privacy impact assessment, including specific steps to ensure transparency; and
- commissioning an audit of the trial, the results of which will be shared with the Information Commissioner, and which the Commissioner will have the right to publish as she sees appropriate.
Despite ruling the deal was illegal, the ICO, is not planning to issue a fine, like it did when it asked TalkTalk to pay £400,000 after it deemed that security failures had allowed a cyber attacker to access data “with ease” following a hack last year.
The deal between DeepMind was struck under the radar in September 2015 and unveiled by the New Scientist in April the following year.