Deal between an NHS trust and Google DeepMind breached data protection laws

The Royal Free NHS Foundation Trust breached the Data Protection Act (DPA) when it shared patient records with Google DeepMind, the Information Commissioner’s Office (ICO) has ruled.

The trust provided medical records of approximately 1.6 million patients as part of a deal to create the healthcare app Streams, an alert, diagnosis and detection system that can spot when patients are at risk of developing acute kidney injury. The ICO deemed that the deal breached the DPA in a number of ways. One of the most obvious breaches was that the Royal Free didn’t tell patients that the data would be used by DeepMind to test the app.

Wide-ranging breach

In a letter to the Royal Free, Information Commissioner Elizabeth Denham stated that the deal between the trust and DeepMind violated Principles 1, 3, 6 and 7 of the DPA. But despite the scale of the breach, the ICO did not issue a fine. The Royal Free will not go entirely unpunished, though, with the ICO instructing it to:

  • Establish a proper legal basis under the DPA for the DeepMind project and any future trials.
  • Set out how it will meet its duty of confidence to patients in all trials involving personal data.
  • Complete a data protection impact assessment (DPIA).
  • Commission an audit of the DeepMind trial, with the results to be shared with the information commissioner.

In a statement, the Royal Free said it welcomed the guidance, adding that it was “pleased” the ICO had let it continue to use Streams to help patients.

‘Lucky’ to avoid heavier sanctions

Adam Rose, a partner at law firm Mishcon de Reya, believes that the Royal Free was lucky to avoid a financial penalty. On the firm’s blog, he writes: “One might have thought that, given the seriousness of the breaches, the volume of sensitive personal data handed over to Google [DeepMind] and the interest in getting this very issue right, the Commissioner would levy a fine on the Free close to the maximum permitted of £500,000.”

That limit will skyrocket when the DPA’s successor, the EU General Data Protection Regulation (GPDR), takes effect next year. Any company found to be in breach of the GDPR can expect a penalty of up to €20 million (about £17.5 million) or 4% of its annual global turnover – whichever is greater.

The GDPR also introduces much tougher compliance requirements. All organisations that process EU residents’ personal information must therefore know what changes are coming and what they need to do to comply with the Regulation.

Our GDPR Staff Awareness E-learning Course helps employees familiarise themselves with the GDPR. It defines the scope of the Regulation, introduces the principles for collecting and protecting personal information, and shows you how you can achieve compliance.

Enrol on our GDPR Staff Awareness E-learning Course >>