Information Commissioner urges NHS Trusts to prioritise privacy

Digital security

The Information Commissioner has ruled that a major hospital failed to comply with the Data Protection Act when it provided patient details to Google’s DeepMind.

The Royal Free NHS Trust was deemed not to have fulfilled its legal obligation to maintain patient privacy when it shared confidential information with Google’s DeepMind division.

The DeepMind project is Google’s artificial intelligence (AI) arm. It developed an app called Streams in 2016, which was deployed the following year, to help flag up serious health problems in patients with acute kidney injury (AKI). The aim was to improve the delivery of care to these patients by giving doctors ‘breaking news’ style alerts on their smartphones if patients were deteriorating. AKI is estimated to cause 40,000 deaths and cost the NHS more than £1 billion every year.

However, the ICO discovered a series of faults in how the data was handled, including the fact that patients were not properly informed that their data would be used as part of the test. The commission has urged all trusts to heed this and act accordingly.

Elizabeth Denham, Information Commissioner, acknowledged that there was ‘huge potential’ that creative use of data could have on patient care and clinical improvements, but stressed the importance of privacy.

She said, “Our investigation found a number of shortcomings in the way patient records were shared for this trial. Patients would not have reasonably expected their information to have been used in this way, and the Trust could and should have been far more transparent with patients as to what was happening.

“We’ve asked the Trust to commit to making changes that will address those shortcomings, and their co-operation is welcome. The Data Protection Act is not a barrier to innovation, but it does need to be considered wherever people’s data is being used.”

The Royal Free has been asked to commit to a set of recommendations. It must: establish a proper legal basis under the Data Protection Act for the Google DeepMind project and for any future trials; set out how it will comply with its duty of confidence to patients in any future trial involving personal data; complete a privacy impact assessment, including specific steps to ensure transparency; and commission an audit of the trial, the results of which will be shared with the Information Commissioner, and which the Commissioner will have the right to publish as she sees appropriate.