Google's DeepMind and UK Hospitals Made Illegal Deal For Health Data, Says Watchdog

A deal between UK hospitals and Google's AI subsidiary DeepMind "failed to comply with data protection law," according to the UK's data watchdog. From a report: The Information Commissioner's Office (ICO) made its ruling today after a year-long investigation into the agreement, which saw DeepMind process 1.6 million patient records belonging to UK citizens for the Royal Free Trust -- a group of three London hospitals. The deal was originally struck in 2015, and has since been superseded by a new agreement. At the time, DeepMind and the Royal Free said the data was being shared to develop an app named Streams, which would alert doctors if patients were at risk from a condition called acute kidney injury. An investigation by the New Scientist revealed that the terms of the agreement were more broad than hand been originally implied. DeepMind has since made new deals to deploy Streams in other UK hospitals.

Re:The same lesson learned

[swillden]

And the same lesson is learned over and over again: Google got away with it.

To be clear, this was DeepMind, which is owned by Google, not Google. From the article:

The contract was always clear that no private data would ever be shared with DeepMind’s parent company Google, which bought the firm in 2014.

Also, it's really Royal Free Trust which is at fault. The core problem here was that patients weren't made aware that their data would be used for this particular purpose, and it was the hospital group who had contact with the patients and access to their data, not DeepMind. Indeed, the ICO's primary immediate action here is to ask the hospital group "to sign a new agreement committing it to act in accordance with the law and commission an audit of the 2015 trial".

While I think DeepMind should also exercise due diligence and take care that its partners aren't breaking the law, the real responsibility here lies with the organization that has the patient data, the hospitals. If DeepMind had violated the terms of the agreement and used the data for purposes other than it told Royal Free Trust, and gotten away with it, then you'd have had grounds for your complaint. As it is, if you want to sharpen your pitchforks, it's the hospitals you should go after, since DeepMind did nothing other than what the hospitals agreed to let it do. And it's also worth noting that no one here is claiming that there was any harm to patients, just not enough care to follow the disclosure requirements.