DeepMind kidney app trial failed to comply with data protection law, probe finds

Information Commissioners Office finds Royal Free London NHS Foundation Trust handed over patient data in contravention of Data Protection Act

  • Information Commissioners Office has ruled that Royal Free London NHS Foundation Trust failed to comply with the Data Protection Act
  • Investigation launched in May 2016 after details of around 1.6 million patients were handed to Google DeepMind as part of a trial to test the Streams app, an alert, diagnosis, and detection system for acute kidney injury
  • Probe found several shortcomings in how the data was handled, including that patients were not adequately informed that their data would be used as part of the test
  • Trust asked to commit to changes ensuring it is acting in line with the law

An NHS trust failed to comply with data protection rules when it handed patient details to a private company, an investigation has found.

The Information Commissioners Office (ICO) has ruled the Royal Free London NHS Foundation Trust failed to comply with the Data Protection Act when it provided personal data of around 1.6 million patients to Google DeepMind as part of a trial to test the Streams app, an alert, diagnosis, and detection system for acute kidney injury.

“There’s no doubt the huge potential that creative use of data could have on patient care and clinical improvements, but the price of innovation does not need to be the erosion of fundamental privacy rights

The ICO investigation found several shortcomings in how the data was handled, including that patients were not adequately informed that their data would be used as part of the test.

And the trust has been asked to commit to changes ensuring it is acting in line with the law by signing an undertaking, although it is allowing use of the app to continue.

Elizabeth Denham, information commissioner, said: “There’s no doubt the huge potential that creative use of data could have on patient care and clinical improvements, but the price of innovation does not need to be the erosion of fundamental privacy rights.

“Our investigation found a number of shortcomings in the way patient records were shared for this trial.

“Patients would not have reasonably expected their information to have been used in this way, and the trust could, and should, have been far more transparent with patients as to what was happening.

“We’ve asked the trust to commit to making changes that will address those shortcomings, and their co-operation is welcome.

“The Data Protection Act is not a barrier to innovation, but it does need to be considered wherever people’s data is being used.”

Following the ICO investigation, the trust has been asked to:

  • Establish a proper legal basis under the Data Protection Act for the Google DeepMind project and for any future trials
  • Set out how it will comply with its duty of confidence to patients in any future trial involving personal data
  • Complete a privacy impact assessment, including specific steps to ensure transparency
  • Commission an audit of the trial, the results of which will be shared with the Information Commissioner, and which the commissioner will have the right to publish as she sees appropriate

The Information Commissioner has also published a blog, looking at what other NHS trusts can learn from this case.

Commenting on the findings, a statement from the Royal Free London NHS Foundation Trust says: “We passionately believe in the power of technology to improve care for patients and that has always been the driving force for our Streams app.

“We are pleased that the information commissioner supports this approach and has allowed us to continue using the app, which is helping us to get the fastest treatment to our most-vulnerable patients – potentially saving lives.

“We have co-operated fully with the ICO’s investigation, which began in May 2016, and it is helpful to receive some guidance on the issue about how patient information can be processed to test new technology.

We would like to reassure patients that their information has been in our control at all times and has never been used for anything other than delivering patient care or ensuring their safety

“We have signed up to all of the ICO’s undertakings and accept their findings.

“We have already made good progress to address the areas where they have concerns. For example, we are now doing much more to keep our patients informed about how their data is used.

“We would like to reassure patients that their information has been in our control at all times and has never been used for anything other than delivering patient care or ensuring their safety.

“We look forward to working with the ICO to ensure that other hospitals can benefit from the lessons we have learnt.”

Companies