Mild rebuke for Royal Free after ‘serious shortcomings’ in provision of patient details to DeepMind
The ICO has ruled that the Royal Free NHS Foundation Trust failed to comply with the Data Protection Act 1998 when it provided patient details to Google DeepMind.
The Trust provided personal data of around 1.6 million patients as part of a trial to test an alert, diagnosis and detection system for acute kidney injury.
But an ICO investigation found several shortcomings in how the data was handled, including that patients were not adequately informed that their data would be used as part of the test.
The Trust has been asked to commit to changes ensuring it is acting in line with the law by signing an undertaking. The precise terms of that undertaking can be read here and the covering letter, which is alo of interest to DP practitioners, can read here.
Elizabeth Denham, Information Commissioner, said:
‘There’s no doubt the huge potential that creative use of data could have on patient care and clinical improvements, but the price of innovation does not need to be the erosion of fundamental privacy rights. Our investigation found a number of shortcomings in the way patient records were shared for this trial. Patients would not have reasonably expected their information to have been used in this way, and the Trust could and should have been far more transparent with patients as to what was happening. We’ve asked the Trust to commit to making changes that will address those shortcomings, and their co-operation is welcome. The Data Protection Act is not a barrier to innovation, but it does need to be considered wherever people’s data is being used.’
Following the ICO investigation, the Trust has been asked to:
· establish a proper legal basis under the Data Protection Act for the Google DeepMind project and for any future trials;
· set out how it will comply with its duty of confidence to patients in any future trial involving personal data;
· complete a privacy impact assessment, including specific steps to ensure transparency; and
· commission an audit of the trial, the results of which will be shared with the Information Commissioner, and which the Commissioner will have the right to publish as she sees appropriate.
The Information Commissioner has published a blog, looking at what other NHS Trusts can learn from this case. Most of those lessons are of general application, such as ‘carry out your privacy impact assessment as soon as practicable, as part of your planning for a new innovation’ and ‘New cloud processing technologies mean you can, not that you always should’. Cynics might suggest that, since the Trust’s undertaking (despite its length) merely requires Royal Free to comply with obligations it already had under the Act, another lesson is that a health trust which breaches the law with good intentions will suffer no real penalty.