Google’s DeepMind made illegal deal with NHS for health data, ICO says

A London hospital trust was wrong to share details of 1.6 million patients with Google’s artificial intelligence company DeepMind, the UK’s data protection regulator has said.The information generated by the medical trial, which involved finding ways to detect kidney injuries, was used to develop a system that can spot when patients are at risk of developing acute kidney injury (AKI).Following a year-long investigation the Information Commissioner’s Office (ICO) has ordered the Royal Free NHS Foundation Trust to set-out a proper legal basis for processing the patient data. The ICO recognised that many of these issues have already been addressed by the Royal Free, and has asked the Trust to sign a formal undertaking to ensure compliance in future.The measures are unlikely to appease privacy organisations and campaign groups that have continued to maintain the Deepmind had infringed data protection legislation in partnership with the trust.Details on about 1.6 million patients was provided to Google’s DeepMind division during the early stages of the medical trial previous year.”The price of innovation does not need to be the erosion of fundamental privacy rights”, she said. “I’ve every confidence the Trust can comply with the changes we’ve asked for and still continue its valuable work”, Denham said.With Streams continuing to be used by the trust, which claims it is realising significant operational benefits from the technology for staff, the ICO is demanding a privacy impact assessment to ensure transparency and an audit of the trial it carried out previous year for possible public scrutiny.The watchdog said it was waiting for that the London-based Royal Free to agree to undertakings to improve its methods of sharing patient records.”The evidence presented to date leads the commissioner to conclude that data subjects were not adequately informed that the processing was taking place and that as result, the processing was neither fair nor transparent”.The data-sharing deal between Google DeepMind and the Royal Free NHS Trust was illegal, the Information Commissioner’s Office (ICO) has ruled. The ICO says it hasn’t found any problems as yet, but the audit should look at how data in the live app is being used.The commissioner notes the recent improvements that have been made by the data controller to improve transparency and that a revised notice regarding live clinical use is now available.The Royal Free did not tell patients that Google would have access to such information, but said it had “implied consent” because patients knew the Streams app offered “direct care”. First, health data is sensitive and should be handled with extreme caution.Ms Aisling Burnand, Chief Executive of the Association of Medical Research Charities (AMRC), said: ‘We hope this decision paves the way for more clarity around the use of patient data.The hospital failed to offer an apology, but rushed to reassure its patients that the information shared “has been in our control at all times”.”We were nearly exclusively focused on building tools that nurses and doctors wanted, and thought of our work as technology for clinicians rather than something that needed to be accountable to and shaped by patients, the public and the NHS as a whole”.In our initial rush to collaborate with nurses and doctors to create products that addressed clinical need, we didn’t do enough to make patients and the public aware of our work or invite them to challenge and shape our priorities.