U.K. hospitals violated British data privacy laws in a deal with Google’s artificial intelligence company, DeepMind, a privacy watchdog ruled Monday.
After a yearlong investigation, the Information Commissioner’s Office (ICO) said that the Royal Free NHS Foundation Trust, which is composed of three London hospitals, has been asked to restructure its data-sharing practices to comply with the law.
“We accept the ICO’s findings and have already made good progress to address the areas where they have concerns,” the Royal Free NHS Foundation Trust said in a statement. “For example, we are now doing much more to keep our patients informed about how their data is used. We would like to reassure patients that their information has been in our control at all times and has never been used for anything other than delivering patient care or ensuring their safety.”
DeepMind and the group had an agreement to develop an app that would alert doctors if patients were susceptible to acute kidney injury, according to The Verge. That deal went into effect in 2015 and has since been replaced with a new agreement.
The ICO said that it found a number of shortcomings in the arrangement, concluding that patients were “not adequately informed” about how their data was being used and that Royal Free should have been more transparent about the process.
“There’s no doubt the huge potential that creative use of data could have on patient care and clinical improvements, but the price of innovation does not need to be the erosion of fundamental privacy rights,” said Information Commissioner Elizabeth Denham.
In a blog post, DeepMind cofounder Mustafa Suleyman and Dominic King, a senior scientist at the company, said that they welcome the “thoughtful resolution” of the case and stressed that patient data had not been compromised.
“Although today’s findings are about the Royal Free, we need to reflect on our own actions too,” Suleyman and King wrote.“In our determination to achieve quick impact when this work started in 2015, we underestimated the complexity of the NHS and of the rules around patient data, as well as the potential fears about a well-known tech company working in health.”
In order to settle the matter, the ICO has asked the group to audit the program and come up with ways to ensure transparency and the privacy of its patients.