This article was published on July 3, 2017

UK’S NHS has violated privacy of 1.6M patients in Google DeepMind medical trial, ICO says


UK’S NHS has violated privacy of 1.6M patients in Google DeepMind medical trial, ICO says

The British Information Commissioner’s Office (ICO) has asserted that the Royal Free National Health Security (NHS) Foundation Trust has failed to protect patient rights when granting Google DeepMind access to the personal data of more than 1.6 million individuals.

The Trust initially provided the information in question as part of a trial to “test an alert, diagnosis and detection system” (more commonly known as Streams) for acute kidney injury. Following an investigation, however, the ICO has found several inconsistencies in the way the NHS handled the data.

According to the watchdog, not all patients were adequately informed that their data would be used as part of a test. As a result, the Trust has been asked to make amendments to the way it works with DeepMind.

“Our investigation found a number of shortcomings in the way patient records were shared for this trial,” Information Commissioner Elizabeth Denham said. “Patients would not have reasonably expected their information to have been used in this way, and the Trust could and should have been far more transparent with patients as to what was happening.”

The <3 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

“We’ve asked the Trust to commit to making changes that will address those shortcomings, and their co-operation is welcome. The Data Protection Act is not a barrier to innovation, but it does need to be considered wherever people’s data is being used,” she continued.

As per the ICO, these are the measures the Trust is required to take:

  • establish a proper legal basis under the Data Protection Act for the Google DeepMind project and for any future trials
  • set out how it will comply with its duty of confidence to patients in any future trial involving personal data
  • complete a privacy impact assessment, including specific steps to ensure transparency
  • commission an audit of the trial, the results of which will be shared with the Information Commissioner, and which the Commissioner will have the right to publish as she sees appropriate

The Trust has since responded to the matter with its own statement, promising to do its best to apply the necessary changes:

We have co-operated fully with the ICO’s investigation which began in May 2016 and it is helpful to receive some guidance on the issue about how patient information can be processed to test new technology. We also welcome the decision of the Department of Health to publish updated guidance for the wider NHS in the near future.

We accept the ICO’s findings and have already made good progress to address the areas where they have concerns. For example, we are now doing much more to keep our patients informed about how their data is used. We would like to reassure patients that their information has been in our control at all times and has never been used for anything other than delivering patient care or ensuring their safety.

News reports about the questionable legitimacy of the Streams program first began popping up back in March 2017 after researchers suggested numerous inadequacies in the way the NHS handed over the data to Google’s subsidiary.

Doubts over the legality of NHS’s agreement with DeepMind continued to amplify in May, when the head of the British Department of Health, Dame Fiona Caldicott, expressed concern that the deal could be violating patient rights.

Correction: We have updated the title to more accurately reflect the details of the story. 

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with