The UK Information Commissioner’s Office (“ICO”), which enforces data protection legislation in the UK, has ruled that the NHS Royal Free Foundation Trust (“Royal Free”), which manages a London hospital, failed to comply with the UK Data Protection Act 1998 in providing 1.6 million patient records to Google DeepMind (“DeepMind”), requiring the Royal Free to sign an undertaking committing to changes to ensure it is acting in line with the UK Data Protection Act.

On September 30,  2015, the Royal Free entered into an agreement with Google UK Limited (an affiliate of DeepMind) under which DeepMind would process approximately 1.6 million partial patient records, containing identifiable information on persons who had presented for treatment in the previous five years together with data from the Royal Free’s existing electronic records system.  On November 18, 2015, DeepMind began processing patient records for clinical safety testing of a newly-developed platform to monitor and detect acute kidney injury, formalized into a mobile app called ‘Streams’.

During that clinical safety testing phase, the ICO found that among other failings, data subjects were not adequately informed that the processing was taking place, and it rejected the contention that the processing was for the purposes of ‘direct care’ of patients (which was argued to provide an implied consent on the part of patients).  The ICO noted that a patient who attended the accident and emergency department at the Royal Free in the last five years would not have expected their personal data to be accessible to a third party for the testing of a new mobile application.

The ICO also found that:

  • the Royal Free had failed to demonstrate that the provision of 1.6 million records was necessary and proportionate to the purpose or processing, and potentially excessive;
  • as patients had not been provided sufficient information about the processing, they would have been able to exercise their rights under section 10 of the UK Data Protection Act to prevent processing of their personal data; and
  • the information sharing agreement between the Royal Free and DeepMind at the time did not go far enough to ensure that, consistent with UK data protection law, only the minimal possible information would be provided, and that processing would be conducted for a limited purpose.

The ICO was also concerned that there was no privacy impact assessment prior to the project’s commencement.  The main feature of the undertaking the ICO required from the Royal Free following its investigation is thus to implement a robust privacy impact assessment framework.

Following the ICO’s ruling, data controllers such as health care providers engaged in digital health projects should (i) give appropriate consideration to the need for a privacy impact assessments and (ii) ensure contract terms are crafted to comply with the requirements of UK data protection law.