A year-long investigation found that patients were not adequately informed that medical data would be used as part of a trial of Streams, a mobile app designed to help with the real-time detection of acute kidney injury (AKI).

The Royal Free London NHS Foundation Trust gave Google’s DeepMind artificial intelligence program data on 1.6 million patients without proper consent, the UK’s Information Commissioner’s Office (ICO) has found.

A year-long investigation found that patients were not adequately informed that medical data would be used as part of a trial of Streams, a mobile app designed to help with the real-time detection of acute kidney injury (AKI).

This breaks parts of Schedules 2 and 3 of the 1998 Data Protection Act, which require subjects to explicitly opt in to their personal data being used for any means and for that consent to be obtained. Because patients were unaware that data had been processed, they were unable to exercise their rights to opt out of the trial.

Additionally, while data was encrypted, the Commissioner found that Royal Free London had not ensured that the mobile devices used in the trial were properly secured, presenting a possible attack vector for hackers.

“There’s no doubt the huge potential that creative use of data could have on patient care and clinical improvements, but the price of innovation does not need to be the erosion of fundamental privacy rights,” Information Commissioner Elizabeth Denham said in a statement. “Our investigation found a number of shortcomings in the way patient records were shared for this trial. Patients would not have reasonably expected their information to have been used in this way, and the Trust could and should have been far more transparent with patients as to what was happening.”

While the ICO has the ability to impose fines of up to £500,000 (around $648,000) — ISP TalkTalk was last year fined £400,000 ($518,000) for failing to safeguard subscriber data — it’s currently unclear if a financial penalty will be imposed on the Royal Free.

The Commissioner’s Office has now asked the Trust to commit to making changes to how it collects and processes patient data.

In a statement, Royal Free London said: “We accept the ICO’s findings and have already made good progress to address the areas where they have concerns. For example, we are now doing much more to keep our patients informed about how their data is used. We would like to reassure patients that their information has been in our control at all times and has never been used for anything other than delivering patient care or ensuring their safety.”

DeepMind commented on its website about the ICO’s decision.

Source: PC Magazine