The ICO has published its ruling on the Royal Free NHS Trust sharing of patient data with Deep Mind (a Google owned AI company).
The data (1.6m records) had been shared as part of a trial to test an alert, diagnosis and detection system for acute kidney injury, but the ICO did not believe the patients had been given enough information about the use of the data in this way, and thus failing a number of the tests in the Data Protection Act.
Whilst a fine hasn’t been issued the ICO has sought a number of reassurances from Royal Free to ensure further sharing does not happen until proper steps are taken regarding the consent for the use of the data in this way. Specifically, the trust will now need to:
- establish a proper legal basis under the Data Protection Act for the Google DeepMind project and for any future trials
- set out how it will comply with its duty of confidence to patients in any future similar trial
- complete a privacy impact assessment, including specific steps to ensure transparency
- commission an audit of the trial, the results of which to be shared with the Information Commissioner
You can read the full findings in a copy of the ICO letter to Royal Free and find more information about the case on the ICO website. The ICO has also published a blog post outlining four lessons other NHS Trusts can learn from the case.
Providing cost-effective, simple to understand and practical GDPR and ePrivacy advice and guidance, via my one-stop-shop helpline. I ❤️ GDPR