On 3 July 2017 the Information Commissioner’s Office (“ICO“) determined that the Royal Free NHS Foundation Trust (the “Trust“) had breached the Data Protection Act 1998 (the “Act”) when it provided patient details to Google’s DeepMind.
The Trust provided personal data of approximately 1.6 million patients to Google’s Deep Mind as part of clinical safety tests of a new application ‘Streams’. The application is designed to provide an alert, diagnosis and detection system for acute kidney injury. However an ICO investigation found several issues with the way in which the personal data was handled, including that patients were not adequately informed of how their data would be used (i.e. as part of the clinical safety tests). These shortcomings amounted to non-compliance with at least four of the eight data protection principles under the Act.
The ICO subsequently required the Trust to sign an undertaking committing the Trust to bring its data processing activities in line with the Act. Both the Trust and Google’s DeepMind have also committed to a third party audit of their data processing arrangements for the clinical safety test, the results of which will be shared with the ICO.
The Information Commissioner, Elizabeth Denham, stated in connection with the matter that the “price of innovation does not need to be the erosion of fundamental privacy rights” – the shortcomings found in this instance were deemed to be avoidable, for example, a privacy impact assessment ought to have been conducted prior to the transfer of any data. The ICO also acknowledged that vast data and evolving technology allow for processing of greater data sets. However, it found that it was not necessary or proportionate to use data records of 1.6 million patients in the circumstances.
The ICO press release can be found here.