ICO Ruling on Royal Free and Google DeepMind Trial

July 2, 2017

The ICO has ruled that the Royal Free NHS Foundation Trust
failed to comply with the Data Protection Act 1998 when it provided patient
details to Google DeepMind.

The Trust provided personal data of around 1.6 million
patients as part of a trial to test an alert, diagnosis and detection system
for acute kidney injury.

But an ICO investigation found several shortcomings in how
the data was handled, including that patients were not adequately informed that
their data would be used as part of the test.

The Trust has been asked to commit to changes ensuring it is
acting in line with the law by signing an undertaking. The precise terms of
that undertaking can be read here
and the covering letter, which is alo of interest to DP practitioners, can read

Elizabeth Denham, Information Commissioner, said:

‘There’s no doubt the huge potential that creative use of
data could have on patient care and clinical improvements, but the price of
innovation does not need to be the erosion of fundamental privacy rights. Our investigation
found a number of shortcomings in the way patient records were shared for this
trial. Patients would not have reasonably expected their information to have
been used in this way, and the Trust could and should have been far more
transparent with patients as to what was happening. We’ve asked the Trust to
commit to making changes that will address those shortcomings, and their
co-operation is welcome. The Data Protection Act is not a barrier to
innovation, but it does need to be considered wherever people’s data is being

Following the ICO investigation, the Trust has been asked

establish a proper legal basis under the Data
Protection Act for the Google DeepMind project and for any future trials;

set out how it will comply with its duty of
confidence to patients in any future trial involving personal data;

complete a privacy impact assessment, including
specific steps to ensure transparency; and

commission an audit of the trial, the results of
which will be shared with the Information Commissioner, and which the
Commissioner will have the right to publish as she sees appropriate.

The Information Commissioner has published a blog, looking
at what other NHS Trusts can learn from this case. Most of those lessons are of
general application, such as ‘carry out your privacy impact assessment as soon
as practicable, as part of your planning for a new innovation’ and ‘New cloud
processing technologies mean you can, not that you always should’. Cynics might
suggest that, since the Trust’s undertaking (despite its length) merely
requires Royal Free to comply with obligations it already had under the Act, another
lesson is that a health trust which breaches the law with good intentions will
suffer no real penalty.