Sharing of patient data between Royal Free hospital and Google DeepMind breached Data Protection Act

A partnership between London's Royal Free hospital and DeepMind resulted in a breach of the Data Protection Act, an investigation by the Information Commissioner's Office (ICO) has concluded.

The personal data of more than 1.6 million patients was transferred to the Google subsidiary as part of the creation of Streams, an app to diagnose and detect acute kidney injury. The ICO found that patients were not properly informed about how their data would be used, and highlighted a "number of shortcomings" in the way data was handled.

The ICO was unhappy with the fact that app testing was carried out with real patient data, something it said went beyond the hospital's authority. In a letter to the NHS Foundation Trust, Elizabeth Denham, Information Commissioner, said that the hospital had not proved a need for testing the system with real patient data, and also suggested that too much data had been transferred.

Summing up her findings Denham said:

There's no doubt the huge potential that creative use of data could have on patient care and clinical improvements, but the price of innovation does not need to be the erosion of fundamental privacy rights.

Our investigation found a number of shortcomings in the way patient records were shared for this trial. Patients would not have reasonably expected their information to have been used in this way, and the Trust could and should have been far more transparent with patients as to what was happening.

We've asked the Trust to commit to making changes that will address those shortcomings, and their co-operation is welcome. The Data Protection Act is not a barrier to innovation, but it does need to be considered wherever people's data is being used.

The hospital says that it has already made good progress in addressing the concerns raised by the ICO. DeepMind has also responded, and used a blog post to outline changes it has introduced:

• Our initial legal agreement with the Royal Free in 2015 could have been much more detailed about the specific project underway, as well as the rules we had agreed to follow in handling patient information. We and the Royal Free replaced it in 2016 with a far more comprehensive contract (available on this page), and we’ve signed similarly strong agreements with other NHS Trusts using Streams.
• We made a mistake in not publicising our work when it first began in 2015, so we’ve proactively announced and published the contracts for our subsequent NHS partnerships.
• In our initial rush to collaborate with nurses and doctors to create products that addressed clinical need, we didn't do enough to make patients and the public aware of our work or invite them to challenge and shape our priorities. Since then we have worked with patient experts, devised a patient and public engagement strategy, and held our first big open event in September 2016 with many more to come.
• In an effort to significantly increase the oversight of our work, we invited nine respected Independent Reviewers to scrutinize DeepMind Health, long before any regulatory or media criticism. This group is due to publish their findings from their first year soon, and we’re looking forward to their recommendations for how we can improve.

Image credit: Stephan Oppliger / Shutterstock