Data sharing between the Royal Free NHS Trust and Google’s DeepMind artificial intelligence (AI) division was illegal, according to a ruling by the Information Commissioner’s Office.
The ICO declared that a deal between the two organisations that saw the transfer of 1.6 million patient records to DeepMind without patient knowledge or approval was deemed to be a breach of the Data Protection Act.
As a result of an investigation by the ICO, Royal Free NHS Trust has been asked to sign an undertaking which commits it to acting in accordance to data protection laws with the assistance of the ICO.
However, the deal was lambasted in an academic paper published in Health and Technology for failing to be clear over privacy and data use, which in turn helped prompt the ICO investigation, alongside complaints from the general public.
Thee ICO also took issue with how the data was shared; while sensitive patient details such as names, NHS numbers and dates of birth are sent to DeepMind as encrypted data, there was nothing in the agreement that would prevent the AI organisation from decrypting the data at a non-NHS location. As such, the ICO deemed patient privacy was further at risk and the data sharing deal was in breach of the Data Protection Act.
Information Commissioner Elizabeth Denham acknowledged that the tests Royal Free and DeepMind were carrying out with the data were worthy and had generated positive results, which some may say justifies the breach of data protection rights.
However, she noted that the shortcomings in the data sharing were avoidable, such as Royal Free carrying out an assessment of impact the data sharing had to privacy only after it had already passed the data on to DeepMind.
“The price of innovation didn’t need to be the erosion of legally ensured fundamental privacy rights.,” she said.
“I’ve every confidence the Trust can comply with the changes we’ve asked for and still continue its valuable work. This will also be true for the wider NHS as deployments of innovative technologies are considered.”
While the ICO focused and levied blame for the breach of data protection on Royal Free, DeepMind also admitted it may have been hasty in its acceptance and use of the shared data.
“We were almost exclusively focused on building tools that nurses and doctors wanted, and thought of our work as technology for clinicians rather than something that needed to be accountable to and shaped by patients, the public and the NHS as a whole. We got that wrong, and we need to do better,” said DeepMind.
This is just as well given DeepMind has deepened its ties with the NHS further by aiming to launch a range of clinical mobile apps in partnership with Imperial College Healthcare NHS Trust.
Are you a Google expert? Take our quiz!
Worrying national security concerns for the Britsih government may reportedly scupper Nvidia's controversial acquisition of…