Royal Free & Google DeepMind trial failed to comply with data protection law

data protection

Share This Post

The ICO has published its ruling on the Royal Free NHS Trust sharing of patient data with Deep Mind (a Google owned AI company).

The data (1.6m records) had been shared as part of a trial to test an alert, diagnosis and detection system for acute kidney injury, but the ICO did not believe the patients had been given enough information about the use of the data in this way, and thus failing a number of the tests in the Data Protection Act.

Whilst a fine hasn’t been issued the ICO has sought a number of reassurances from Royal Free to ensure further sharing does not happen until proper steps are taken regarding the consent for the use of the data in this way. Specifically, the trust will now need to:

  • establish a proper legal basis under the Data Protection Act for the Google DeepMind project and for any future trials
  • set out how it will comply with its duty of confidence to patients in any future similar trial
  • complete a privacy impact assessment, including specific steps to ensure transparency
  • commission an audit of the trial, the results of which to be shared with the Information Commissioner

You can read the full findings in a copy of the ICO letter to Royal Free and find more information about the case on the ICO website. The ICO has also published a blog post outlining four lessons other NHS Trusts can learn from the case.

More To Explore

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy