The UK’s data privacy regulator, the Information Commissioner’s Office (ICO) has ruled the Royal Free NHS Foundation Trust failed to comply with the Data Protection Act when it provided patient details to Google DeepMind.

The Trust provided personal data of around 1.6 million patients as part of a trial to test an alert, diagnosis and detection system for acute kidney injury. An ICO investigation found several shortcomings in how the data was handled, including that patients were not adequately informed that their data would be used as part of the test.

In her blog, the Information Commissioner Elizabeth Denham emphasised it’s not a choice between privacy or innovation and that lessons should be learnt from this case.

In light of the ruling, Nicola Perrin, Head of Understanding Patient Data, has issued the following response:

“The ICO’s constructive approach will help ensure that new digital technologies can be introduced in an appropriate way to provide better clinical care. Key lessons – the need for transparency, public engagement and proportionate use of data – must be learnt, so that everyone can have confidence that patient data is being used responsibly. It is good that both DeepMind and Royal Free have recognised that mistakes were made, and are now taking steps to address the concerns. The ICO ruling makes clear that data protection and innovation can work together for the benefit of patients.”

The Royal Free Hospital has accepted the ICO’s findings and continues to address the areas where there were concerns. DeepMind have taken on board the need to be more transparent and to better inform patients and the public from the outset.

The National Data Guardian, Fiona Caldicott, has also reflected on the importance of maintaining public trust when innovations with data are taken forward to improve care. She highlighted the need to get the balance right, enabling innovation while acting in line with public expectation.