DeepMind access breached NHS data privacy rules
An NHS hospital breached the Data Protection Act when it shared confidential data from 1.6 million patients with Google's DeepMind division.
This is the ruling by the Information Commissioner’s Office (ICO), which found London's Royal Free hospital did not properly inform patients about the use of their data.
The ruling is embarrassing for the hospital trust and DeepMind, but didn't result in any confidential data being leaked.
Exposed in April by New Scientist, the agreement saw the hospital hand over personal data of 1.6 million patients to DeepMind, which uses artificial intelligence (AI) to improve the speed and accuracy of medical diagnoses.
The company's Streams app aims to boost early intervention for acute kidney injury by providing doctors with alerts as soon as a patient’s health deteriorates.
The ICO was also not satisfied with the Trust’s belief that the clinical safety testing of the app amounted to direct care - only in this setting is there no need for patient consent.
The ruling is in line with the National Data Guardian, Dame Fiona Caldicott’s view. In a letter to the ICO in May, Caldicott described the transfer as being made on an “inappropriate legal basis.”
The ICO agreed, stating that the transfer breached the First Data Protection Principle of the Data Protection Act.
“Our investigation found a number of shortcomings in the way patient records were shared for this trial. Patients would not have reasonably expected their information to have been used in this way, and the Trust could and should have been far more transparent with patients as to what was happening,” said Elizabeth Denham, Information Commissioner, in a statement.
“We’ve asked the Trust to commit to making changes that will address those shortcomings, and their co-operation is welcome.”
The Royal Free responded to the decision in a statement, stating it had “signed up to all of the ICO’s undertakings" and accepted their findings.
It also said that it had “already made good progress to address the areas where they have concerns."
Future plans
DeepMind, although not the focus of the ICO’s judgement, has also responded via blog post: “We welcome the ICO’s thoughtful resolution of this case, which we hope will guarantee the ongoing safe and legal handling of patient data for Streams.”
The company will bear the ICO’s stance in mind for future projects it plans to carry out with the NHS.
Currently, the company is working with NHS hospitals to improve the diagnosis of eye conditions and aid in radiotherapy planning. It is also investigating blockchain technology to aid with patient data sharing.
Only last month, it extended its deal with the NHS to deploy its Streams app in trusts outside London. The app will now be used at Musgrove Park Hospital, part of the Taunton and Somerset NHS Foundation Trust.