A partnership between London's Royal Free hospital and DeepMind resulted in a breach of the Data Protection Act, an investigation by the Information Commissioner's Office (ICO) has concluded.
The personal data of more than 1.6 million patients was transferred to the Google subsidiary as part of the creation of Streams, an app to diagnose and detect acute kidney injury. The ICO found that patients were not properly informed about how their data would be used, and highlighted a "number of shortcomings" in the way data was handled.
The ICO was unhappy with the fact that app testing was carried out with real patient data, something it said went beyond the hospital's authority. In a letter to the NHS Foundation Trust, Elizabeth Denham, Information Commissioner, said that the hospital had not proved a need for testing the system with real patient data, and also suggested that too much data had been transferred.
Summing up her findings Denham said:
There's no doubt the huge potential that creative use of data could have on patient care and clinical improvements, but the price of innovation does not need to be the erosion of fundamental privacy rights.
Our investigation found a number of shortcomings in the way patient records were shared for this trial. Patients would not have reasonably expected their information to have been used in this way, and the Trust could and should have been far more transparent with patients as to what was happening.
We've asked the Trust to commit to making changes that will address those shortcomings, and their co-operation is welcome. The Data Protection Act is not a barrier to innovation, but it does need to be considered wherever people's data is being used.
The hospital says that it has already made good progress in addressing the concerns raised by the ICO. DeepMind has also responded, and used a blog post to outline changes it has introduced: