The UK’s privacy body, the Information Commissioner’s Office (ICO), has ruled that a research partnership arrangement between Google DeepMind and the National Health Service (NHS) was illegal …
Some 1.6 million patient records were shared with Google in an attempt to use AI to predict which patients would be at risk from kidney damage. While the initiative was well-intentioned, it was suggested back in May that the legal basis for the data-sharing was ‘inappropriate.’ The ICO has today found that it was in fact illegal.
Today my office has announced that the Royal Free NHS Foundation Trust did not comply with the Data Protection Act when it turned over the sensitive medical data of around 1.6 million patients to Google DeepMind, a private sector firm, as part of a clinical safety initiative.
It was the NHS, rather than Google, which broke the law.
The finding hinges on something of a technicality. The law says that patients are ‘implied’ to have consented to data being shared for the purposes of their direct care, but as the aim here was to develop an app that would help future patients, no consent could be assumed. It was therefore ruled that patient consent should have been sought to use their data for research purposes. In practice, most patients consent to both forms of sharing, so it’s likely that a similar number of records would have been shared either way.
The NHS Trust in question has now agreed to change the way in which it shares data, and the ICO is keen to stress that it does not believe that there need be a conflict between privacy and research.
It’s welcome that the trial looks to have been positive. The Trust has reported successful outcomes. Some may reflect that data protection rights are a small price to pay for this.
But what stood out to me on looking through the results of the investigation is that the shortcomings we found were avoidable. The price of innovation didn’t need to be the erosion of legally ensured fundamental privacy rights. I’ve every confidence the Trust can comply with the changes we’ve asked for and still continue its valuable work. This will also be true for the wider NHS as deployments of innovative technologies are considered.
The ICO is simply reminding NHS bodies that they must ensure the correct patient consent is in place.
The project is one of a number of medical research partnerships between the NHS and Google’s DeepMind.