Royal Free, DeepMind Patient Data Sharing Deal Violated UK's Data Protection Law

The Information Commissioner’s Office (ICO), which is the Data Protection Authority in the UK, ruled that the Royal Free NHS Foundation Trust failed to comply with UK’s Data Protection Act. According to the ICO, Royal Free gave DeepMind access to the data of 1.6 million patients without fully disclosing to them how it would be used.

Royal Free And DeepMind’s Deal

Royal Free entered a five-year deal with DeepMind, a British machine learning technology company that was acquired by Google in 2014, to collaborate on developing an application, called “Streams,” that would help doctors more accurately diagnose some diseases and improve treatment for patients. The app would also alert doctors and nurses when certain patients are at risk of getting ill based on the information it already has on them.

UK’s National Data Guardian, which watches over how medical data is used, was the first agency to come to the conclusion that the deal between Royal Free and DeepMind was done on an “inappropriate legal basis.” The deal was supposed to cover access to patient data only for “testing” purposes, and not to be used for “direct care.”

Since then, ICO has done its own investigation, and it seems to have arrived at similar conclusions.

Elizabeth Denham, Information Commissioner, said:

There’s no doubt the huge potential that creative use of data could have on patient care and clinical improvements, but the price of innovation does not need to be the erosion of fundamental privacy rights.Our investigation found a number of shortcomings in the way patient records were shared for this trial. Patients would not have reasonably expected their information to have been used in this way, and the Trust could and should have been far more transparent with patients as to what was happening.We’ve asked the Trust to commit to making changes that will address those shortcomings, and their co-operation is welcome. The Data Protection Act is not a barrier to innovation, but it does need to be considered wherever people’s data is being used.

Required Changes

It doesn’t look like the ICO will fine Google and it seems to mainly hold Royal Free accountable for this privacy violation, as the hospital was the one controlling the data. Going forward, the ICO will want to see some changes in the deal. These will include establishing a proper legal basis for the sharing of patient data with DeepMind, requiring Royal Free to complete a privacy assessment of the deal, as well as commission a third-party audit of the trial.

Although DeepMind was not recognized as the main party at fault here, the company seems to have already taken some steps to improve the transparency of this collaboration between it and the NHS trusts. These include making the deal more transparent, as well as offering more details, and being more mindful about how the patients would be affected by the company’s processing of the data.

The company has also started working on Verifiable Data Audit technology, which uses a digital ledger to ensure the integrity of medical records and how or when others make use of that data. For instance, this could be used to verify if DeepMind itself or some other organization has been processing patient data without approval. DeepMind hopes to build an initial version of this digital ledger by the end of this year.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • rantoc
    Aww the UK goverment have patented a camera up your arse (TM) so any snooping beside the governments is a patent violation!

    I believe UK still rules the CPC (Cameras per Citizen) among other spying on their own people metrics.