Data belonging to 1.6 million patients was illegally shared with Google after a National Health Service (NHS) trust tested a medical app with the tech giant.
The Information Commissioner’s Office (ICO) ruled on Monday that the Royal Free NHS Foundation Trust had not complied with the Data Protection Act when it provided information to Google’s DeepMind program.
Artificial intelligence agency DeepMind was given the data in order to try out a smartphone application called Streams. The app was set to alert doctors about patients at risk of acute kidney injuries.
According to the ICO, “a number of shortcomings” were found in how the hospital handled data, including a failure to tell patients that their information could be used in tests.
“There’s no doubt the huge potential that creative use of data could have on patient care and clinical improvements, but the price of innovation does not need to be the erosion of fundamental privacy rights,” said Information Commissioner Elizabeth Denham.
“Our investigation found a number of shortcomings in the way patient records were shared for this trial. Patients would not have reasonably expected their information to have been used in this way and the trust could and should have been far more transparent with patients as to what was happening.”
“The Data Protection Act is not a barrier to innovation but it does need to be considered wherever people’s data is being used,” the ICO said.
The hospital failed to offer an apology, but rushed to reassure its patients that the information shared “has been in our control at all times.”
DeepMind said in a statement: “Although today’s findings are about the Royal Free, we need to reflect on our own actions too.
“In our determination to achieve quick impact when this work started in 2015, we underestimated the complexity of the NHS and of the rules around patient data, as well as the potential fears about a well-known tech company working in health.”