Information Commissioner's Office
Royal Free NHS Foundation Trust update, July 2019
In July 2017, following reports concerning the use of Google DeepMind’s Streams application at the Royal Free NHS Foundation Trust, the ICO announced that the processing of personal data within Streams was not compliant with the Data Protection Act 1998 – the relevant data protection law at the time. Having identified several shortcomings with the data processing, the Trust signed an undertaking committing it to bringing the processing into line with data protection laws, including the new General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
The actions the Trust was asked to complete included establishing a proper legal basis for future processing, making sure future developments also comply with the common law duty of confidence, and completing a privacy impact assessment. We also agreed that the Trust would commission an independent audit into the processing of patient data that had occurred during the implementation of Streams.
The ICO can now report that the Trust has completed the actions required, both in response to the requirements set out in the undertaking, and to meet the concerns to addressed in the audit.
On matters relating to the data protection framework which we regulate, the Trust was able to demonstrate that the GDPR principles of proportionality and necessity had been considered and that the processing of large volumes of data was required during phases of clinical testing to ensure patient safety.
It has also taken steps to complete a data protection impact assessment (DPIA) as required by the new legal regime, and improve privacy information to its patients. We are therefore satisfied that the Trust is complying with its data protection requirements and we have no further outstanding concerns regarding the current processing of personal data within Streams.
During the audit, separate concerns were raised around the legal view on how the common law duty of confidentiality - often referred to as a ‘duty of confidence’ - could be satisfied during the clinical testing of Streams. The ICO found the approach - proposed in the audit, which focused on the clinician’s conscience rather than on the patient’s expectations, was inconsistent with current accepted thinking. Whilst common law matters fall outside of our regulatory purview, we are very aware that clinicians and developers are seeking regulatory clarity on the interplay between the duty of confidence and the data protection framework.
Greater clarity is needed and we are committed to working with other bodies including the National Data Guardian and Health Research Authority, to improve guidance and support to the sector so that healthcare organisations like NHS Trusts can implement data-driven technology solutions safely and legally.
Finally, ahead of the transfer of Streams from DeepMind to the new Google Health Unit, the ICO has made it clear to controllers using the Streams service that they will need to have the appropriate legal documentation in place to ensure their processing is in line with the requirements of the GDPR. Organisations must assure themselves and document how they have taken appropriate steps to mitigate data protection risks beyond contractual obligations and the obligation on Google Health under data protection law, such as audits, reports and other appropriate measures.
Latest News from
Information Commissioner's Office
Statement in response to media enquiries about the Data Protection Impact Assessment for the NHSX’s trial of contact tracing app11/05/2020 09:15:00
An ICO spokesperson said: “We are reviewing the Data Protection Impact Assessment for NHSX’s pilot of its contact tracing app in the Isle of Wight.”
Blog: Information Commissioner sets out new priorities for UK data protection during COVID-19 and beyond06/05/2020 09:10:00
Blog posted by: Elizabeth Denham, Information Commissioner, 05 May 2020.
COVID-19 contact tracing: data protection expectations on app development05/05/2020 09:10:00
Information Commissioner Elizabeth Denham and Executive Director of Technology and Innovation Simon McDougall appeared before the Human Rights Joint Committee yesterday (4 May 2020).
Statement in response to details about an NHSX contact tracing app to help deal with the COVID-19 pandemic27/04/2020 09:10:00
Statement given recently (24 April 2020) in response to details about an NHSX contact tracing app to help deal with the COVID-19 pandemic.
Blog: Combatting COVID-19 through data: some considerations for privacy20/04/2020 09:10:00
Blog posted by: Elizabeth Denham, Information Commissioner, 17 April 2020.
Blog: Video conferencing: what to watch out for17/04/2020 09:10:00
The COVID-19 crisis is changing the way we live our lives. Keeping our distance means many of us are working from home for the first time and adapting to new ways of doing our jobs.
How we will regulate during coronavirus16/04/2020 09:10:00
The ICO yesterday published a document setting out our regulatory approach during the coronavirus pandemic.
ICO statement on investigating coronavirus scams09/04/2020 09:10:00
ICO are supporting businesses eager to stay in touch with customers during the Covid-19 pandemic.
Winner of the ICO’s Practitioner Award for Excellence in Data Protection 2020 announced07/04/2020 12:25:00
Recognising the increasingly vital role played by data protection professionals, the third ICO Practitioner Award for Excellence in Data Protection is awarded to Barry Moult, Information Governance and Privacy Consultant, and former Head of Information Governance at an NHS Trust.