A landmark partnership between the National Health Service and Google’s artificial intelligence software violated patient privacy laws, according to British regulators.
An investigation by the Information Commissioner’s Office indicated the Royal Free NHS Foundation Trust failed to comply with the country’s Data Protection Act when it handed over personal data for 1.6 million patients to Google DeepMind in a five-year partnership officially announced last November.
The partnership was initially reported by New Scientist in April 2016 and immediately drew the ire of privacy experts.
While acknowledging the “huge potential” for health data on patient care, Information Commissioner Elizabeth Denham said the partnership shared data in ways that patients would not have reasonably expected, and that NHS “should have been far more transparent with patients as to what was happening.”
In a blog post, Denham offered several key privacy takeaways for the rest of the healthcare sector that may be engaging in similar partnerships, advocating for the industry to adequately address privacy concerns before diving into new data sharing partnerships.
“What stood out to me on looking through the results of the investigation is that the shortcomings we found were avoidable,” she wrote. “The price of innovation didn’t need to be the erosion of legally ensured fundamental privacy rights. I’ve every confidence the Trust can comply with the changes we’ve asked for and still continue its valuable work.”
Meanwhile, a report issued by DeepMind’s independent review panel noted a lack of clarity in the initial information sharing agreement with NHS, but indicated those issues have been corrected. The panel also commended the company for implementing independent oversight—which it argued should set a standard for the industry—and noted that DeepMind Health has set a “firm policy” that future information sharing contracts will be published publicly without redactions.