NHS and Google DeepMind broke privacy laws with Streams trial

The ICO (Information Commissioners Office) has ruled that the Royal Free NHS Trust failed to comply with the Data Protection Act in its work with Googles DeepMind.
The NHS started trials of DeepMind’s Streams app, designed to help clinical teams identify at-risk patients and treat them as quickly as possible, last year. As part of the trial, testing a diagnosis and detection system for acute kidney injury, DeepMind was given access to the personal data of around 1.6m patients.
The first signs that the trials may have infringed on data privacy laws came in May, when a letter from National Data Guardian Fiona Calcott was leaked, saying that the NHS Trust and DeepMind did not follow guidelines on implied consent.
The ICO’s announcement backs this up. Its investigation “found several shortcomings in how the data was handled, including that patients were not adequately informed that their data would be used as part of the test”.
“There’s no doubt the huge potential that creative use of data could have on patient care and clinical improvements, but the price of innovation does not need to be the erosion of fundamental privacy rights,” said Information Commissioner Elizabeth Denham. “Patients would not have reasonably expected their information to have been used in this way, and the Trust could and should have been far more transparent with patients as to what was happening.”
The ICO has demanded that the Trust “establish a proper legal basis” for the Google DeepMind project and for any future trials; “set out how it will comply with its duty of confidence to patients” going forward; and “complete a privacy impact assessment”. However, it doesn’t seem that this decision will put a halt to trials, or impact on the NHS’s ever-expanding work with DeepMind – which last month saw Streams rolled out to its first hospital outside of London, Musgrove Park Hospital in Somerset.