Data protection is tricky … even for those with the deepest minds!
The Information Commissioner’s ruling in 2017 that the Royal Free Foundation Trust failed to comply with the Data Protection Act when it gave Google access to its patient data must have sent shivers down the spines of many people involved in IT and health. If Google can’t get it right, what hope do the rest of us have?
The Royal Free is providing the personal data of about 1.6 million patients as part of a trial to test a detection system for acute kidney injury. The trial obviously involves a trust providing a large amount of sensitive data. This uses Google’s DeepMind technology to create an app called Streams, which sends alerts to doctors about patients at risk of injury (this problem is not something that Eva shares, by the way, as any aggregation in Eva will use anonymised data).
At first glance this sounds like a really useful way of utilising the NHS’s incomparable store of patient data. Commenting on their ruling, the Information Commissioner Elizabeth Denham was quoted as saying:
“There’s no doubt the huge potential that creative use of data could have on patient care and clinical improvements, but the price of innovation does not need to be the erosion of fundamental privacy rights.”
It is therefore with some relief to read that the Information Commissioner has announced that the Royal Free have met their concerns and the trial can go ahead. It does not appear that the actions that the Royal Free had to take were too onerous. They included establishing a proper legal basis for the data to be processed and completing a privacy impact assessment. The actions flow quite naturally from the first principles of data protection – understanding the basis for processing and mitigating the risks. The information commissioner commented:
“Organisations must assure themselves and document how they have taken appropriate steps to mitigate data protection risks beyond contractual obligations and the obligation … under data protection law, such as audits, reports and other appropriate measures.”
The moral of this story, I think, is that getting data protection right isn’t impossible – even for complex projects like this one. Nevertheless, there are some basics that no-one can get away with avoiding.
Written by Kieran Seale