Setting precedent in medical case, agency finds NHS trust didn’t adequately protect data on 1.6 million patients
Google hit another regulatory problem in Europe, as the UK Information Commissioner ruled that a National Health Service Trust had improperly shared data on 1.6 million patients with the company’s DeepMind artificial intelligence unit.
The agency, which enforces data protection law, said 3 July that the Royal Free NHS Foundation Trust had not adequately informed the patients that their data was to be used in the Google research project. It ordered the trust to sign an undertaking to protect patient data better in future, but didn’t take any action against Google itself.
The regulator noted that the research itself had been productive, as it was testing a new system to detect, diagnose and provide alerts for people with acute kidney injury.
“There’s no doubt the huge potential that creative use of data could have on patient care and clinical improvements, but the price of innovation does not need to be the erosion of fundamental privacy rights,” said the commissioner, Elizabeth Denham, in a statement.
“Our investigation found a number of shortcomings in the way patient records were shared for this trial,” Denham wrote. “The Trust could and should have been far more transparent with patients as to what was happening.”
Google not faulted
Though Google wasn’t blamed, the case is the second regulatory issue in a week for Google in Europe – following a record fine of €2.4 billion that the European Commission levied against the company for allegedly using its dominant position in online searches to disadvantage competitors. The company is contesting that fine.
But more generally, the British case is likely to be only the first of many in Europe that pits a research project’s use of patient data against data protection laws. In 2015 the European Parliament approved a new General Data Protection Regulation that provided specific exemptions for medical research – but the interpretation of exactly what that means will no doubt be contested in the future. To get the exemption, medical researchers argued in Brussels that they needed more flexibility than normal commercial users, to aggregate and study patient data – or efforts to find new medicines would get derailed.
Elaborating on the case, Denham in a blog offered some advice to other researchers. She said that while medical research is important and use of data necessary, in the Royal Free case “what stood out to me looking through the results of the investigation is that the shortcomings we found were avoidable.” She said the Trust didn’t carry out a privacy impact assessment until after Google had already been given the data. “This is not how things should work.”
She advised researchers to “to carry out your privacy impact assessment as soon as practicable, as part of your planning for a new innovation or trial.” Further, she urged researchers “to apply the proportionality principle” when deciding whether it’s worth it to share patient data, and to know the law.