Royal Free NHS Foundation Trust (the Trust) is one of the largest Trusts in the UK, employing more than 9,000 staff and providing services to over a million patients in North London.

On 3 July 2017, the UK Information Commissioner (ICO), the regulator overseeing data privacy, ruled that the Trust failed to comply with the Data Protection Act when it provided patient details to Google DeepMind. The Trust provided personal data of about 1.6 million patients as part of a trial to test an alert, diagnosis and detection system for acute kidney injury.

DeepMind works with hospitals on mobile tools and Artificial Intelligence to plan patient journey, from diagnosis to treatment, as quickly and accurately as possible. Streams, an application which is in use at the Trust, is based on a mobile technology platform to send immediate alerts to clinicians when a patient’s condition deteriorates. Streams has also been rolled out to other UK hospitals, and DeepMind has also diversified the application for use in other settings that include a project aimed at using Artificial Intelligence to improve diagnosis of diabetic retinopathy, and another aimed at using similar approach to better prepare radiotherapists for treating head and neck cancers The application therefore saves lives.

In her ruling, the ICO recognized the huge potential for innovative research and creative use of data on patient care and clinical improvements. However, ICO considered that the price of innovation does not need to be erosion of fundamental privacy rights. The ICO noted in particular: “[i]n relation to health data, the Commissioner and her office recognises the benefits that can be achieved by using patient data for wider public good and where appropriate, we support the development of innovative technological solutions that use personal data to improve clinical care. We would like to make it clear that the Commissioner has no desire to prevent or hamper the development of such solutions; however, such schemes and laudable ends must meet the necessary compliance mechanism set out in the Act.

In this case, the ruling is levelled against the Trust as the data controller responsible for compliance with the Data Protection Act throughout its partnership with Streams and DeepMind has been acting as a data processor processing personal data on behalf of the Trust.

The ruling is based on the ICO investigation which has identified several shortcomings in how the data were handled according to the terms of the agreement for the partnership between the Trust and DeepMind. Most importantly, as regards transparency in data sharing between the Trust and DeepMind, the ICO found that patients were not adequately informed that their data would be used as part of the test.

The Trust is required to provide an undertaking to ensure that personal data are processed in accordance with the Data Protection Act especially in relation to the following guiding principles: (a) personal data must be processed fairly and lawfully; (b) processing of personal data must be adequate, relevant and not excessive; (c) personal data must be processed in accordance with the rights of data subjects; and (d) appropriate technical and organisation controls must be taken, including the need to ensure that appropriate contractual controls are put in place when a data processor is used. These remedial measures are set out in the undertaking for the Trust to implement according to the time-table imposed by the ICO. The Trust is also required to commission an audit of the trial the results of which will be shared with the ICO and the results may be published as the ICO sees appropriate.