NHS and Google fall foul of UK data protection rules

An NHS Trust has found itself on the wrong side of the law after a twelve-month investigation by the Information Commissioner’s Office of its joint-initiative with Google Deepmind.

Jamie Davies

July 3, 2017

3 Min Read
NHS and Google fall foul of UK data protection rules

An NHS Trust has found itself on the wrong side of the law after a twelve-month investigation by the Information Commissioner’s Office of its joint-initiative with Google Deepmind.

The Royal Free NHS Foundation Trust failed to comply with data protection policies in the UK, as it passed details of 1.6 million patient as part of a trial to test an alert, diagnosis and detection system for acute kidney injury. The data was to be used to create an app called ‘Streams’, and was passed on without knowledge or consent of the patients.

“The price of innovation didn’t need to be the erosion of legally ensured fundamental privacy rights,” said Elizabeth Denham, the Information Commissioner. “I’ve every confidence the Trust can comply with the changes we’ve asked for and still continue its valuable work. This will also be true for the wider NHS as deployments of innovative technologies are considered.”

The agreement was initially signed in secret in September 2015, but was revealed in full by the New Scientist in April 2016. The system itself reviews data looking for triggers, before sending a message to a relevant clinician should the condition deteriorate to allow for an immediate diagnosis. Essentially, Streams integrates different types of data and test results from a range of existing IT systems used by the hospital, a task which would be exceptionally difficult to do manually.


Although the Trust has technically broken the law, the ICO has seemingly seen the sensible side to the scenario, allowing the Trust to continue the work, assuming it should be able to comply with data protection rules.

“We passionately believe in the power of technology to improve care for patients and that has always been the driving force for our Streams app,” the Trust stated on its blog.

“We are pleased that the information commissioner supports this approach and has allowed us to continue using the app which is helping us to get the fastest treatment to our most vulnerable patients – potentially saving lives.”

What this whole saga does prove is the complications with data protection rules and regulations; in short, few organizations fully understand what their obligations are and what could land them on the wrong side of the law. In this case, thankfully, the ICO has seen sense and not put a complete halt to the trials, though the complicated rules could have an adverse effect on the industry.

The Royal Free NHS Foundation Trust and Google Deepmind are using information in a creative way, but how many of these ideas were halted in the early days because there uncertainty on what is and what is not legal. Could the confusion mean progress has been halted or at least disrupted because of the fear of acting illegally?

While many would currently state data protections rules are perhaps too complicated, the situation is only going to get worse over the next twelve months or so as EU General Data Protection Rules (GDPR) are implemented. These new rules will fundamentally change how a customer’s personal information is handled, and the penalties are severe. If companies do not understand the challenge as it currently stands, it’s a very worrying sign for when EU GDPR starts to peek from around the corner.

Data protection is a critical aspect of the connected economy, but the rules need to be plainer to ensure they are understandable. If not, progressive ideas like this one might be shelved due to the fear of punishment. If regulations are supposed to aid the industry, someone needs to have a long hard look at what we have right now.

Get the latest news straight to your inbox.
Register for the Telecoms.com newsletter here.

You May Also Like