Compliance Management

ICO, surprisingly, doesn’t lose its mind over NHS DeepMind experiment

The UK's data watchdog has ruled that the Royal Free NHS Foundation “failed to comply” with current data protection laws while providing Google's DeepMind information on its patients.

Over 1.6 million patient records were handed over by the Trust, and Google's DeepMind used the data generated by the trial to develop an app named Streams which can be used for “diagnosis and detection” of acute kidney injury (AKI).

The Information Commissioner's Office (ICO) said the trust failed to comply with the Data Protection Act. Following a year long investigation, “several shortcomings in how the data was handled, including that patients were not adequately informed that their data would be used as part of the test,” were found.

Elizabeth Denham, the Information Commissioner, said in a press release: “Patients would not have reasonably expected their information to have been used in this way, and the Trust could and should have been far more transparent with patients as to what was happening.”

To rectify the situation, Denham said, “We've asked the Trust to commit to making changes that will address those shortcomings, and their co-operation is welcome. The Data Protection Act is not a barrier to innovation, but it does need to be considered wherever people's data is being used.”

The Trust has not been fined by the ICO, and instead has signed an “undertaking”, essentially promising to change how it handles data. The terms of the agreement are:

  • establish a proper legal basis under the Data Protection Act for the Google DeepMind project and for any future trials;

  • set out how it will comply with its duty of confidentiality to patients in any future trial involving personal data;

  • complete a privacy impact assessment, including specific steps to ensure transparency; and

  • commission an audit of the trial, the results of which will be shared with the Information Commissioner, and which the Commissioner will have the right to publish as she sees fit.

The Royal Free said in a statement: “We passionately believe in the power of technology to improve care for patients and that has always been the driving force for our Streams app. We have signed up to all of the ICO's undertakings and accept their findings. We have already made good progress to address the areas where they have concerns. We would like to reassure patients that their information has been in our control at all times and has never been used for anything other than delivering patient care or ensuring their safety.”

The sharing of information between the NHS Trust and Google's neural network developed by DeepMind stole the limelight in 2016. The fear was that Google, which analyses users' data to target advertising, would abuse the data from the Trust.

However, Google welcomed the “thoughtful resolution” of the case by the ICO, saying: “In our determination to achieve quick impact when this work started in 2015, we underestimated the complexity of the NHS and of the rules around patient data, as well as the potential fears about a well-known tech company working in health.”

The search giant said it felt it spent too much time on building tools which “nurses and doctors wanted”, but forgot that it “needed to be accountable to and shaped by patients, the public and the NHS as a whole”.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.