Hospital breached data protection rules for Google app trial

A HOSPITAL breached the Data Protection Act by sharing the details of 1.6 million patients with Google DeepMind for a medical trial.

The Royal Free NHS Foundation Trust handed over the personal data as part of a trial to test an alert, diagnosis and detection system for acute kidney injury.

But an investigation by the Information Commissioner’s Office (ICO) found “several shortcomings” in how the data was handled, including that patients were not adequately informed that their data would be used as part of the test.

Information Commissioner Elizabeth Denham said the Trust “could and should have been far more transparent with patients as to what was happening.”

DeepMind – a Google-owned artificial intelligence company – worked with the Trust to create the healthcare app Streams which is designed to help doctors and nurses spot signs of kidney failure. Just last month the app was extended to Musgrove Park Hospital in Somerset following its launch at the Royal Free in London.

DeepMind has always said that no data is shared with its parent firm.

The ICO ruled that testing the app with real patient data went beyond Royal Free’s authority. It stated: “A patient presenting at accident and emergency within the last five years to receive treatment or a person who engages with radiology services and who has had little or no prior engagement with the Trust would not reasonably expect their data to be accessible to a third party for the testing of a new mobile application, however positive the aims of that application may be.”

The Trust has escaped a fine but has signed an undertaking committing to comply with the law in future. It will complete a privacy impact assessment, commission an audit of the trial and share the results with the ICO, and set out how it will comply with data protection rules in any future trial involving personal data.