The Information Commissioner’s Office has ruled the Royal Free NHS Foundation Trust failed to comply with the Data Protection Act when it provided patient details to Google DeepMind.
The Trust provided personal data of around 1.6 million patients as part of a trial to test an alert, diagnosis and detection system for acute kidney injury.
But an ICO investigation found several shortcomings in how the data was handled, including that patients were not adequately informed that their data would be used as part of the test.
The Trust has been asked to commit to changes ensuring it is acting in line with the law by signing an undertaking.
Elizabeth Denham, Information Commissioner, said: “There’s no doubt the huge potential that creative use of data could have on patient care and clinical improvements, but the price of innovation does not need to be the erosion of fundamental privacy rights.
“Our investigation found a number of shortcomings in the way patient records were shared for this trial.
“Patients would not have reasonably expected their information to have been used in this way, and the Trust could and should have been far more transparent with patients as to what was happening.
“We’ve asked the Trust to commit to making changes that will address those shortcomings, and their cooperation is welcome.
“The Data Protection Act is not a barrier to innovation, but it does need to be considered wherever people’s data is being used.”
Following the ICO investigation, the Trust has been asked to:
- establish a proper legal basis under the Data Protection Act for the Google DeepMind project and for any future trials;
- set out how it will comply with its duty of confidence to patients in any future trial involving personal data;
- complete a privacy impact assessment, including specific steps to ensure transparency; and
- commission an audit of the trial, the results of which will be shared with the Information Commissioner, and which the Commissioner will have the right to publish as she sees appropriate.
The undertaking the ICO has asked the Trust to sign, and the letter outlining the conclusions of the ICO’s investigation, have both been published.
The Information Commissioner has also published a blog, looking at what other NHS Trusts can learn from this case.