The ICO has ruled that the Royal Free Hospital in London breached the UK Data Protection Act 1988 when it shared 1.6 million patient records with Alphabet's DeepMind, a sister company of Google. The shared data was used to test a new app built on artificial intelligence called Streams. The healthcare app has been designed for the diagnosis and detection of acute kidney injury. However, the ICO ruled that the hospital failed to adequately inform patients that their data would be used as part of the test.
The ICO found that sensitive personal data was used in a way "that data subjects would not reasonably expect or to which [they] have not directly consented". A significant factor that affected the ICO decision was that the data transfer was so broad in scope. For instance, a patient who presented in the last five years at an accident or emergency department or radiology who had little or no prior engagement with the hospital could not reasonably expect their data would be transferred to a third party to help develop a new mobile application. Although there were a number of shortcomings overall, the decision turned on non-compliance with the following four key data protection principles:
- That personal data must be shared fairly and lawfully.
- That it should be adequate relevant and not excessive.
- That it must be processed in accordance with the rights of data subjects.
- And that it failed to demonstrate that the appropriate technical and organisational controls were taken.
Notwithstanding the material nature of the breaches and the volume of sensitive personal data shared, the commissioner opted not to impose the maximum fine. Instead she decided to require the hospital to give undertakings around future performance.
The ICO decision is significant as it is likely to be one of the last cases of this nature to involve sanctions solely for the data controller. When the General Data Protection Regulation (the "GDPR") comes into effect in May 2018, processors will bear more compliance risk. The GDPR is based largely on principles of transparency and accountability and processors will likely have to engage in contracts by which they will assume significantly more obligations and risk. These obligations combined with the new general conditions for imposing administrative fines under the GDPR will expose processors (and controllers) to significant financial risk in cases like this. Certain breaches will attract a maximum fine of €20 million or 4% of global turnover. Given these new stricter obligations it is likely that post May 2018 a breach on a similar scale will result in both the controller and the processor being exposed to greater fines and sanctions.