The Royal Free NHS Foundation Trust failed to comply with the UK's Data Protection Act when it provided 1.6 million patient details to Google's DeepMind, the Information Commissioner's Office said today.
The trust provided the personal data as part of a trial to test an alert, diagnosis and detection system for acute kidney injury.
However, Dame Fiona Caldicott, National Data Guardian at the UK's Department of Health, had already deemed that use "legally inappropriate".
A subsequent ICO investigation found several shortcomings in how the data was handled, including that patients were not adequately informed that their data would be used as part of the test.
The trust had been asked to commit to changes ensuring it is acting in line with the law by signing an undertaking.
Elizabeth Denham, Information Commissioner, said patients would not have "reasonably expected" their information to have been used in this way, and the trust should have been far more transparent with patients.
"We've asked the trust to commit to making changes that will address those shortcomings, and their cooperation is welcome. The Data Protection Act is not a barrier to innovation, but it does need to be considered wherever people's data is being used."
Following the ICO probe, the trust has been asked to establish a proper legal basis under the Data Protection Act for the Google DeepMind project and for any future trials, and set out how it will comply with its duty of confidence to patients in any future trial involving personal data.
It has also been asked to complete a privacy impact assessment and commission an audit of the trial.
Royal Free London said in a blog it was pleased that the Information Commissioner supports its approach to improving patient care via technology.
"We have cooperated fully with the ICO's investigation which began in May 2016 and it is helpful to receive some guidance on the issue about how patient information can be processed to test new technology. We also welcome the decision of the Department of Health to publish updated guidance for the wider NHS in the near future.
"We accept the ICO's findings and have already made good progress to address the areas where they have concerns. For example, we are now doing much more to keep our patients informed about how their data is used. We would like to reassure patients that their information has been in our control at all times and has never been used for anything other than delivering patient care or ensuring their safety.
"We look forward to working with the ICO to ensure that other hospitals can benefit from the lessons we have learnt."
DeepMind said in a statement: "We welcome the ICO's thoughtful resolution of this case, which we hope will guarantee the ongoing safe and legal handling of patient data for Streams." ®