BillionPhotos.com - Fotolia

Royal Free and Google DeepMind data sharing not compliant with DPA, ICO rules

Information Commissioner’s Office finds that the controversial NHS data-sharing deal with Google DeepMind did not fully comply with the Data Protection Act

The data-sharing deal between the Royal Free Hospital NHS Foundation Trust and Google-owned artificial intelligence firm DeepMind failed to comply with the Data Protection Act (DPA), the Information Commissioner’s Office (ICO) has ruled.

The arrangement gives DeepMind access to the identifiable healthcare records of 1.6 million patients in order to test its Streams application. 

The Streams app aims to help clinicians identify those at risk of acute kidney injury by sending alerts to doctors and nurses, helping them to prioritise those who need immediate intervention. But in May last year, the ICO launched an investigation into the deal after receiving complaints from the public. 

In its investigation, the ICO said it found “a number of shortcomings in the processing of patient records” that amounted to “non-compliance” with several DPA principles.

This includes patients not being provided with enough information about the processing of their data, and that “patients would have been unable to exercise their rights to prevent the processing of their personal data under section 10 of the Act”.

In a letter to the Royal Free, information commissioner Elizabeth Denham said the mechanisms to inform patients that their data would be used were “inadequate”. 

“In short, the evidence presented to date leads the commissioner to conclude that data subjects were not adequately informed that the processing was taking place and that, as result, the processing was neither fair nor transparent,” Denham wrote.

The large number of patient records used for the clinical safety testing of the app also came under fire. “The commissioner is not persuaded that proper consideration was given to the necessity of processing so many patients’ records, the final ruling said.

“As such, the commissioner is of the view that the trust has failed to demonstrate that the processing of such a large number of partial records was both necessary and proportionate to the purpose pursued by the data controller and that the processing was potentially excessive.”

Commenting on the ruling, Denham said the creative use of data has huge potential to improve patient care and clinical care, “but the price of innovation does not need to be the erosion of fundamental privacy rights”.

A number of shortcomings

She added: “Our investigation found a number of shortcomings in the way patient records were shared for this trial. Patients would not have reasonably expected their information to have been used in this way, and the trust could and should have been far more transparent with patients as to what was happening.”

Denham said the trust has been asked to commit to making changes to “address those shortcomings”. “The DPA is not a barrier to innovation, but it does need to be considered wherever people’s data is being used,” she added.

The Royal Free has been allowed to continue using the app and has agreed to make the changes necessary, including establishing a proper legal basis for the Google DeepMind project and any future trials, as well as setting out how it will comply with its “duty of confidence to patients” in any future trials.

It will also conduct a privacy impact assessment, and the Department of Health has agreed to issue updated guidance for the rest of the NHS.

In a statement, the trust said it “believes strongly in the power of technology to improve care for patients – and that has always been the driving force for our Streams app”.

“We are pleased that the information commissioner supports this approach and has allowed us to continue using the app, which is helping us to get the fastest treatment to our most vulnerable patients – potentially saving lives,” the trust said, adding that it has fully complied with the ICO’s investigation.

“We have signed up to all of the ICO’s undertakings and accept their findings,” it said. “We have already made good progress to address the areas where they have concerns.

“For example, we are now doing much more to keep our patients informed about how their data is used. We would like to reassure patients that their information has been in our control at all times and has never been used for anything other than delivering patient care or ensuring their safety.”

Read more on Healthcare and NHS IT