UK watchdog: Google DeepMind, NHS out of step with patient privacy laws
- A year-long investigation by the U.K.’s Information Commissioner’s Office has concluded a data sharing deal between the National Health Service and Alphabet-owned DeepMind Technologies failed to comply with patient privacy laws, New Scientist reported.
- Under the agreement, DeepMind gained access to 1.6 million patient records from the Royal Free London NHS Trust. The purpose was to develop a kidney disease-monitoring app called Streams.
- While the U.K.'s Information Commissioner's Office (ICO) has authority to issue fines and halt DeepMind’s use of the data, the government watchdog agency instead asked Royal Free to “establish a proper legal basis under the Data Protection Act for the Google DeepMind project,” according to an ICO press release.
Data privacy is an ongoing concern with mobile technologies. For an example in the U.S., in a report to Congress last August, HHS identified a series of gaps in HIPAA’s ability to protect personal data generated by wearable fitness trackers and other digital apps.
In a July 3 letter to David Sloman, chief executive of Royal Free, CIO Commissioner Elizabeth Denham summarized the NHS, DeepMind partnership's shortcomings. Among the findings were that the Trust’s procedures around patient consent and transparency were inadequate. The agency also questioned the need to 1.6 million patient records in the trial, calling it “excessive.”
In addition to providing legal basis for the project, the CIO asked the trust to clarify how it will protect patient privacy in future clinical trials involving personal data and to complete a privacy impact assessment, including steps to ensure transparency. An audit of the DeepMind trial, which was meant to establish the app’s safety, was also requested.
“There’s no doubt the potential that creative use of data could have on patient care and clinical improvement, but the price of innovation does not need to be the erosion of fundamental privacy right,” Denham said in the release.
DeepMind conducted its own investigation as well. In a blog, the company said that in focusing on building better tools for clinicians, it had “underestimated” the complexities of personal data protection. “We got that wrong, and we need to do better,” DeepMind said.
DeepMind and Royal Free partnered in September 2015 to test an artificial intelligence-enabled alert, diagnosis and detection system for acute kidney injury. In February, Stream went live in and is currently being used by the trust’s clinicians. The device has regulatory clearance for use in the U.K.
The CIO said DeepMind can continue using the data provided for Streams while the compliance measures are underway.
- New Scientist Google DeepMind’s NHS data deal ‘failed to comply’ with law
- DeepMind The Information Commissioner, the Royal Free, and what we’ve learned
- Information Commissioner's Office Royal Free – Google DeepMind trial failed to comply with data protection law