Google DeepMind trial failed to comply with data protection – ICO

Royal Free Hospital asked to establish a 'proper legal basis' for project

The Royal Free NHS Foundation Trust failed to comply with the UK's Data Protection Act when it provided 1.6 million patient details to Google's DeepMind, the Information Commissioner's Office said today.

The trust provided the personal data as part of a trial to test an alert, diagnosis and detection system for acute kidney injury.

However, Dame Fiona Caldicott, National Data Guardian at the UK's Department of Health, had already deemed that use "legally inappropriate".

A subsequent ICO investigation found several shortcomings in how the data was handled, including that patients were not adequately informed that their data would be used as part of the test.

The trust had been asked to commit to changes ensuring it is acting in line with the law by signing an undertaking.

Elizabeth Denham, Information Commissioner, said patients would not have "reasonably expected" their information to have been used in this way, and the trust should have been far more transparent with patients.

"We've asked the trust to commit to making changes that will address those shortcomings, and their cooperation is welcome. The Data Protection Act is not a barrier to innovation, but it does need to be considered wherever people's data is being used."

Following the ICO probe, the trust has been asked to establish a proper legal basis under the Data Protection Act for the Google DeepMind project and for any future trials, and set out how it will comply with its duty of confidence to patients in any future trial involving personal data.

It has also been asked to complete a privacy impact assessment and commission an audit of the trial.

Royal Free London said in a blog it was pleased that the Information Commissioner supports its approach to improving patient care via technology.

"We have cooperated fully with the ICO's investigation which began in May 2016 and it is helpful to receive some guidance on the issue about how patient information can be processed to test new technology. We also welcome the decision of the Department of Health to publish updated guidance for the wider NHS in the near future.

"We accept the ICO's findings and have already made good progress to address the areas where they have concerns. For example, we are now doing much more to keep our patients informed about how their data is used. We would like to reassure patients that their information has been in our control at all times and has never been used for anything other than delivering patient care or ensuring their safety.

"We look forward to working with the ICO to ensure that other hospitals can benefit from the lessons we have learnt."

DeepMind said in a statement: "We welcome the ICO's thoughtful resolution of this case, which we hope will guarantee the ongoing safe and legal handling of patient data for Streams." ®

Keep Reading

Alphabet Workers Union hits Google data center contractor with labor complaint: We were banned from discussing wages, say staff

Modis also accused of suspending techie for criticizing working conditions

45 million medical scans from hospitals all over the world left exposed online for anyone to view – some servers were laced with malware

23,000 Britons' data was among unsecured info, finds research

Android user chucks potential $10bn+ sueball at Google over 'spying', 'harvesting data'... this time to build supposed rival to TikTok called 'Shorts'

These are the class-action-suit-joining 'droids lawyers are looking for. (We'll get our coats)

Alphabet board smacked with sueball for paying off Google execs accused of sexual harassment

Shareholders' suit alleges there was a 'pattern'

Fake Zoom alerts and dodgy medical freebies among COVID-cracks detected by Taiwan's CERT

Phishers claimed to be from 'National Health Commission', which exists in mainland China but not Taiwan

Consumer orgs ask world's competition watchdogs: Are you really going to let Google walk off with all Fitbit's data?

Updated It's like the Chocolate Factory isn't dominant enough already

Alphabet in the soup for keeping quiet about Google+ data leak bug

Investors sue over failure to 'fess up in financial filings

Google has arranged special insurance for its cloud – if you share some data with Allianz and Munich Re

Pitches 'shared fate' scheme as an upgrade to current convention of cloud sec being your problem

Biting the hand that feeds IT © 1998–2021