Four lessons NHS Trusts can learn from the Royal Free case

By Elizabeth Denham, Information Commissioner.

nhs-2

Today my office has announced that the Royal Free London NHS Foundation Trust did not comply with the Data Protection Act when it turned over the sensitive medical data of around 1.6 million patients to Google DeepMind, a private sector firm, as part of a clinical safety initiative. As a result of our investigation, the Trust has been asked to sign an undertaking committing it to changes to ensure it is acting in accordance with the law, and we’ll be working with them to make sure that happens.

But what about the rest of the sector? As organisations increasingly look to unlock the huge potential that creative uses of data can have for patient care, what are the lessons to be learned from this case?

it-security-1It’s not a choice between privacy or innovation

It’s welcome that the trial looks to have been positive. The Trust has reported successful outcomes. Some may reflect that data protection rights are a small price to pay for this.

But what stood out to me on looking through the results of the investigation is that the shortcomings we found were avoidable. The price of innovation didn’t need to be the erosion of legally ensured fundamental privacy rights. I’ve every confidence the Trust can comply with the changes we’ve asked for and still continue its valuable work. This will also be true for the wider NHS as deployments of innovative technologies are considered.

it-security-2Don’t dive in too quickly

Privacy impact assessments are a key data protection tool of our era, as evolving law and best practice around the world demonstrate. Privacy impact assessments play an increasingly prominent role in data protection, and they’re a crucial part of digital innovation. Our investigation found that the Trust did carry out a privacy impact assessment, but only after Google DeepMind had already been given patient data. This is not how things should work.

The vital message to take away is that you should carry out your privacy impact assessment as soon as practicable, as part of your planning for a new innovation or trial. This will allow you to factor in your findings at an early stage, helping you to meet legal obligations and public expectations.

it-security-3New cloud processing technologies mean you can, not that you always should

Changes in technology mean that vast data sets can be made more readily available and can be processed faster and using greater data processing technologies. That’s a positive thing, but just because evolving technologies can allow you to do more doesn’t mean these tools should always be fully utilised, particularly during a trial initiative.

In this case, we haven’t been persuaded that it was necessary and proportionate to disclose 1.6 million patient records to test the application. NHS organisations, perhaps more than any other sector, need to remember that we are talking about the medical information of real patients. This means you should consider whether the benefits are likely to be outweighed by the data protection implications for your patients. Apply the proportionality principle as a guiding factor in deciding whether you should move forward.

it-security-4Know the law, and follow it

No-one suggests that red tape should get in the way of progress. But when you’re setting out to test the clinical safety of a new service, remember that the rules are there for a reason. Just as you wouldn’t ignore the provisions of the Health and Social Care Act, or any other law, don’t ignore the Data Protection Act: you need a legal basis for processing personal data. Whether you contact the ICO or obtain expert data protection advice as early as possible in the process, get this right from the start and you’ll be well-placed to make sure people’s information rights aren’t the price of improved health.

The ICO’s dedicated health sector page has a collected relevant guidance and resources together.

elizabeth-denham-blogElizabeth Denham was appointed UK Information Commissioner on 15 July 2016, having previously held the position of Information and Privacy Commissioner for British Columbia, Canada.
This entry was posted in Elizabeth Denham, ICO. Bookmark the permalink.

2 Responses to Four lessons NHS Trusts can learn from the Royal Free case

  1. Stephen Jones says:

    To make these things work and to ensure that firms/organisations do not break the law you need to enforce it. Someone/somebody has played fast-and-loose with personal data and should be prosecuted in full accordance with the law.

    When will this happen?

  2. tessfleming says:

    Could someone from the ICO confirm why falsifying health records is first of all ‘fair and lawful’ and not just an issue about accuracy. In terms of Principle 4, while I agree this behaviour is a matter about the organisation, it is all about the manipulation of sensitive personal data. Could the ICO provide clarification on the advice recently provided which is copied below – is this an example of the NHS complying with Principal 7 or best practice in protecting information rights?

    Considering a ‘compliance likely’ notice was provided in this case based on ‘good faith’ rather than actual documented proof which included a health board creating a false mental health record solely to discredit the patient – I think it is in the interests of the Public to clarify, not only the statement below but why the response also stated that legislation such as FOI, Records Handling, the Public Records Act etc. is not within the ICO’s remit to investigate?

    “This principle also says that, ‘For the purposes of this Act data are inaccurate if they are incorrect or misleading as to any matter of fact.’

    ‘Misleading’ in this context does not include an organisation using information in a wilfully misleading way (i.e. potentially attempting to defraud). If the data held about you is actually accurate, but is deliberately presented in such a way that it intentionally misleads – such as attempting to conceal a misdiagnosis or inappropriate treatment – this becomes a matter about the behaviour of the organisation and not the processing of data.”

Leave a Reply