Royal Free NHS Foundation Trust who shared the data of 1.6 million patients has escaped a fine from the UK’s information watchdog… The Information Commissioner’s Office (ICO).
The Trust has instead signed an undertaking with the ICO to take certain action in order to ensure data protection rules are complied with in future. The Trust were reportedly using Google DeepMind on a clinical trial when the personal information of 1.6 million patients was shared as part of the clinical trials projects.
Google DeepMind was being trialled by the hospital as a new and innovative way to receive alerts, diagnoses and detection for specified injuries. In this case, the affected patients had or were suspected to have acute kidney problems.
The Trust was investigated for not informing patients that their information would be used as part of the clinical trials. They failed to acquire consent of the patients and failed to notify them of the data sharing.
Criticism from the ICO
Ms Elizabeth Denham of the ICO said:
“Our investigation found a number of shortcomings in the way patient records were shared for this trial. Patients would not have reasonably expected their information to have been used in this way, and the Trust could and should have been far more transparent with patients as to what was happening.”
Anyone who has control over someone else’s data has a duty under the Data Protection Act to make sure it’s only used for a specified purpose. For NHS patients, data in medical files is expected to be kept confidential, and only used for medical health reasons. I’m sure they don’t expect their information to be trialled in a new technology venture without first seeking authorisation or even letting them know.
Ms Denham also spoke about balancing the need for innovation and making sure that personal data is not compromised:
“There’s no doubt the huge potential that creative use of data could have on patient care and clinical improvements, but the price of innovation does not need to be the erosion of fundamental privacy rights.”
She continued:
“The Data Protection Act is not a barrier to innovation, but it does need to be considered wherever people’s data is being used.”
Data protection must always be seen as important!
For all companies and organisations, data protection must always be taken seriously. Data breaches can destroy trust in organisations, and the impact on victims can last a lifetime. If you lose money, the same amount can be given back to you; but if someone compromises your data, you may have no idea where it goes or how far it goes, and whether it can ever be fully recovered or destroyed.
Many data breach victims understandably suffer psychiatric injuries such as stress, depression, anxiety and restlessness. Whilst we understand that no amount of money can truly compensate for these injuries, we know that it can help; and that’s what we aim to do for data breach victims who meet our criteria for acceptance on a No Win, No Fee basis.