In 2015, DeepMind Technologies entered a data sharing arrangement with the NHS for patient data. This data was then used illegally, with 1.6 million patients affected by this privacy violation. This page explains how this breach happened.
The Royal Free NHS Foundation Trust shared the personal data of patients with AI company Google DeepMind. The transfer of data was done to test a new medical app (called Streams). But the use of data by Google DeepMind eroded patient rights and breached the Data Protection Act (DPA).
Patients who attended The Royal Free Hospital, Barnet Hospital or Chase Farm Hospital between 2010- 2016 might have had their data privacy rights breached. In total, 1.6 million people may have been affected.
According to an investigation by the UK’s data protection watchdog (the ICO), there were several failings in the processing of patient records. The then Information Commissioner, Elizabeth Denham, said that lessons should be learnt from this case.
Many people are happy for their data to be used to improve patient care and make clinical advancements. But laws exist to ensure this is done in a way that does not harm patients. People should also be told how their records will be shared and be asked for their consent.
Despite these laws, there are real worries about how medical data is being used (and might be used in the future). For example, what would happen if an insurance company got hold of your medical data and increased your life insurance premium or refused you cover?
Anyone who attended The Royal Free Hospital, Barnet Hospital or Chase Farm Hospital between 2010- 2016 could have been affected by this data violation.
Admissions, discharge and transfer data, accident and emergency, pathology and radiology, and critical care data were all passed to Google DeepMind.
This sensitive patient data included details such as whether patients had been diagnosed with HIV, suffered from depression, or had ever undergone an abortion.
This information was not anonymised.
Any organisation can apply for access to NHS patient data, but there are strict controls on how companies can use this information. For example, personally identifiable patient data (anything that can be used to identify you) can only be shared if there is a health benefit. Personal data must also be processed under the UK’s data protection laws.
Despite this, questions remain about who our medical records are being shared with and why. There are also concerns about what happens to our patient data when it leaves the NHS.