03.07.17
ICO: Patient data transfer to Google DeepMind by trust deemed unlawful
The Royal Free NHS FT failed to comply with data protection laws when it provided the data about 1.6 million patients to Google DeepMind for the trial of an app, the Information Commissioner's Office (ICO) has today ruled.
The information had been given to the AI arm of Google, called DeepMind, by the London trust at the end of last year as part of a trial to test an alert, diagnosis and detection app for acute kidney failure, called Streams.
It was hoped that once developed, Streams would speed up the time to alert clinicians of patients in need and free up over half a million hours a year for patient care.
But in May this year, the National Data Guardian (NDG) Dame Fiona Caldicott said that the transfer of data may have been transferred on a “inappropriate legal basis” as patients had not directly consented to sharing their data.
And the ICO has today ruled that there were shortcomings in how the data was handled, and has set out areas where the trust must commit to improving its track record with protecting its patient’s data.
Since the ICO investigation, the trust has been told to establish a legal basis under the Data Protection Act for the Google DeepMind project, as well as set out how it will comply with its duty of confidence to patients in the future.
It was also asked to complete a privacy impact assessment, with specific steps to ensure transparency and also commission an audit of the trail, the results of which will be shared with the ICO.
“There’s no doubt the huge potential that creative use of data could have on patient care and clinical improvements, but the price of innovation does not need to be the erosion of fundamental privacy rights,” said Elizabeth Denham, Information Commissioner.
“Our investigation found a number of shortcomings in the way patient records were shared for this trial,” she added. “Patients would not have reasonably expected their information to have been used in this way, and the Trust could and should have been far more transparent with patients as to what was happening.
“We’ve asked the trust to commit to making changes that will address those shortcomings, and their co-operation is welcome. The Data Protection Act is not a barrier to innovation, but it does need to be considered wherever people’s data is being used.”
A spokesperson for the trust said that the driving force behind Streams had always been the power of technology to improve care for patients, and were pleased that the app could still be used to help vulnerable get the quickest care possible.
“We have co-operated fully with the ICO’s investigation which began in May 2016 and it is helpful to receive some guidance on the issue about how patient information can be processed to test new technology,” they said. “We also welcome the decision of the Department of Health to publish updated guidance for the wider NHS in the near future.”
They added that the trust accepted the ICO’s findings, and had already made good progress to address the areas where there were still concerns.
“We are now doing much more to keep our patients informed about how their data is used,” they continued. “We would like to reassure patients that their information has been in our control at all times and has never been used for anything other than delivering patient care or ensuring their safety.
“We look forward to working with the ICO to ensure that other hospitals can benefit from the lessons we have learnt.”
Have you got a story to tell? Would you like to become an NHE columnist? If so, click here.