ICO investigation found a number of ‘shortcomings’ in the way patient records were shared.
The UK’s Information Commission has ruled that a UK hospital did not do enough to protect the privacy of its patients when it shared data with Google DeepMind.
The data sharing with Google DeepMind relates to a medical trial conducted at the Royal Free NHS Foundation, whereby the details of 1.6 million patients were handed over to Google’s DeepMind division.
The information generated by the medical trial, which involved finding ways to detect kidney injuries, was used to develop a system that can spot when patients are at risk of developing acute kidney injury (AKI).
An app called Streams resulted from the trial and was designed to help doctors identify patients at risk of AKI.
The ICO, however, have ruled that the hospital did not give patients a detailed explanation of how their data would be used, with information commissioner Elizabeth Denham saying in a statement:
“There’s no doubt the huge potential that creative use of data could have on patient care and clinical improvements, but the price of innovation does not need to be the erosion of fundamental privacy rights.
“Our investigation found a number of shortcomings in the way patient records were shared for this trial. Patients would not have reasonably expected their information to have been used in this way, and the Trust could and should have been far more transparent with patients as to what was happening.
“We’ve asked the Trust to commit to making changes that will address those shortcomings, and their co-operation is welcome. The Data Protection Act is not a barrier to innovation, but it does need to be considered wherever people’s data is being used.”
The trust has not been fined by the ICO but has instead signed an undertaking to change the way in which it handles data. The trust has agreed to undertake the following changes:
- establish a proper legal basis under the Data Protection Act for the Google DeepMind project and for any future trials;
- set out how it will comply with its duty of confidence to patients in any future trial involving personal data;
- complete a privacy impact assessment, including specific steps to ensure transparency; and
- commission an audit of the trial, the results of which will be shared with the Information Commissioner, and which the Commissioner will have the right to publish as she sees appropriate.
The Royal Free welcomed the guidance of the ICO, saying in a statement:
“We are pleased that the information commissioner supports this approach and has allowed us to continue using the app which is helping us to get the fastest treatment to our most vulnerable patients – potentially saving lives.
“We have co-operated fully with the ICO’s investigation which began in May 2016 and it is helpful to receive some guidance on the issue about how patient information can be processed to test new technology. We also welcome the decision of the Department of Health to publish updated guidance for the wider NHS in the near future.
“We accept the ICO’s findings and have already made good progress to address the areas where they have concerns.”
Google, meanwhile, pledged to reflect on its involvement with hospitals and welcomed the “thoughtful resolution” of the case. In a statement, Google said:
“In our determination to achieve quick impact when this work started in 2015, we underestimated the complexity of the NHS and of the rules around patient data, as well as the potential fears about a well-known tech company working in health. We were almost exclusively focused on building tools that nurses and doctors wanted, and thought of our work as technology for clinicians rather than something that needed to be accountable to and shaped by patients, the public and the NHS as a whole. We got that wrong, and we need to do better.”
Google and Royal Free caused heated debate when the two parties first agreed to collaborate in February 2016. Debate centered around the amount of patient information being shared without public consultation and the risk of privacy to patients.
“Whilst a worthy cause, innovating healthcare services shouldn’t come at the cost of sacrificing civil liberties. Medical records are amongst the most sensitive types of data any organisation can hold about a person,” said Rafael Laguna, CEO, Open-Xchange.
READ MORE: Huge data loss scandal rocks NHS
“Failure to comply with the Data Protection Act by trading patient records without consent could be viewed by many as a double assault by the UK government and Google on the public’s right to privacy.
“Consent and trust is critical. A government willing to conspire with the private sector to normalise privacy infringements in the guise of ‘innovation’ will arguably only end up opening the door to future citizen abuses. Where would we be if the same data had been shared with insurers for example, would millions of people suddenly find their premiums increasing without their knowledge?”