Stacks of patient records. Image: Xray Computer/Shutterstock
DeepMind and the NHS have been informed that their app deal to gather records for 1.6m patients goes against UK data protection law.
With GDPR just around the corner, governments and companies are facing the need for much stricter and transparent data protection to prevent EU citizens from losing control over who can store and process their personal data.
Therefore, it has come as an expected blow for Google’s DeepMind and a group of NHS hospitals that a deal signed between them in 2015 to use 1.6m patients’ records without their permission was in violation of UK data protection law.
As part of the agreement, DeepMind processed these records for the Royal Free Trust – a group of three London-based hospitals – with the intention of using the gathered data to build an app called Streams.
The goal of the app was to provide doctors with alerts for when a patient might be at risk of developing acute kidney injury.
What proved problematic for the deal, however, was that patients had not given their consent. The argument put forward at the time by DeepMind and Royal Free Trust was that they had given “implied consent” because they would be using the Streams app.
In a statement, the Information Commissioner’s Office (ICO) – which has conducted a year-long investigation into the deal – said the parties involved “did not comply with the Data Protection Act” and that the UK trust must sign changes to ensure accordance with law.
Price of innovation should not erode privacy rights
The ICO’s information commissioner, Elizabeth Denham, commented on the deal, saying that its shortcomings were “avoidable”.
She said: “The price of innovation didn’t need to be the erosion of legally ensured, fundamental privacy rights.
“The vital message to take away is that you should carry out your privacy impact assessment as soon as practicable, as part of your planning for a new innovation or trial.”
DeepMind and Royal Free Trust have agreed to a new deal that is more compliant with data protection laws, including offering technical audits of the former’s systems.
In a statement, DeepMind welcomed the decision, admitting that there is a “fine line between finding exciting new ways to improve care, and moving ahead of patients’ expectations”.
