The UK’s Information Commissioner’s Office (ICO) has found that the Royal Free National Health Service (NHS) Foundation Trust (London, UK) did not adhere to the UK’s Data Protection Act when it provided patient details to Google DeepMind.
The Trust, a press release reports, provided personal data for around 1.6 million patients as part of a trial to test an alert, diagnosis and detection system for acute kidney injury.
According to the press release, an ICO investigation found several shortcomings in how the data were handled—including that patients were not adequately informed that their data would be used as part of the trial. The Trust has now been asked to commit to changes ensuring it is acting in line with the law by signing an undertaking. It has been asked to:
Establish a proper legal basis under the Data Protection Act for the Google DeepMind project and for any future trials
Set out how it will comply with its duty of confidence to patients in any future trial involving personal data
Complete a privacy impact assessment, including specific steps to ensure transparency
Commission an audit of the trial, the results of which will be shared with the Information Commissioner, and which the Commissioner will have the right to publish as she sees appropriate.
Elizabeth Denham, Information Commissioner, says, “There is no doubt the huge potential that creative use of data could have on patient care and clinical improvements, but the price of innovation does not need to be the erosion of fundamental privacy rights.” She adds that the Data Protection Act is not a “barrier to innovation” but that it “does need to be considered wherever people’s data is being used”.