The UK’s Information Commissioner’s Office says the Royal Free NHS Foundation Trust breached the Data Protection Act when it handed over patient data to Google’s artificial intelligence arm DeepMind.

The parties signed a deal in November 2016 to develop a "ground-breaking" new mobile clinical app called Streams, being designed in the first instance to alert healthcare professionals if patients are at risk of developing acute kidney injury.

But eyebrows were raised when it emerged that the Trust had provided DeepMind with personal - and reportedly identifiable - data on around 1.6 million patients as part of a trial to test the new system.

This triggered an ICO investigation, which has now concluded that there were several shortcomings in how the data was handled, including that patients were not adequately informed that their data would be used as part of the test.

“Patients would not have reasonably expected their information to have been used in this way, and the Trust could and should have been far more transparent with patients as to what was happening,” said information commissioner Elizabeth Denham.

“There’s no doubt the huge potential that creative use of data could have on patient care and clinical improvements, but the price of innovation does not need to be the erosion of fundamental privacy rights.”

The ICO is allowing the continued use of the app, but has asked the Trust to commit to changes ensuring it is acting in line with the law by signing an undertaking, which it has now done.

Also, it must establish “a proper legal basis under the Data Protection Act for the Google DeepMind project and for any future trials” and set out how it will “comply with its duty of confidence to patients” in any future trial involving personal data, the ICO said.

The watchdog has also ordered a privacy impact assessment, including specific steps to ensure transparency, and
an audit of the trial, the results of which will be shared with the Information Commissioner.

‘Good progress’
In a statement, the Trust said it had already “made good progress” to address the areas of concern, and stressed: “We would like to reassure patients that their information has been in our control at all times and has never been used for anything other than delivering patient care or ensuring their safety.”

“We welcome the ICO’s thoughtful resolution of this case, which we hope will guarantee the ongoing safe and legal handling of patient data for Streams,” added DeepMind.

The decision comes just weeks after a five-year partnership between DeepMind and Taunton and Somerset NHS Foundation Trust was announced, focused on introducing Streams technology to alert nurses and doctors of potential deterioration in a patient's vital signs.

The groups are also working on the implementation of an infrastructure to facilitate the integration of other apps that could improve patient care, whether developed by third parties or innovators within the trust.