The UK Information Commissioner's Office (ICO) has officially put out a ruling stating that the Royal Free NHS Foundation Trust violated applicable privacy laws when it handed over patient information to Google's specialty AI firm DeepMind with the intent to have DeepMind maintain, store, organize, and administrate said data. Specifically, the law in question is the Data Protection Act, and the NHS' data sharing practices with DeepMind were found to have fallen short of compliance with this regulation in multiple ways. One of the most grievous offenses on the list, according to a report from the ICO, is the fact that patients were not adequately informed about how their data would be transmitted, or for what purpose.
The ICO's report on the matter was not entirely specific on how the Foundation's sharing with DeepMind was noncompliant, aside from mentioning transparency issues. According to the report, the ICO is going to ask the NHS to change its data management practices and the manner in which information is shared with DeepMind in order to bring the deal into compliance with the law. The biggest change that's expected, as outlined in the report, is to keep patients more informed on the matter and ensure their consent before sharing their medical data. Presumably, patients that do not consent to have their records handled by DeepMind will instead have their data managed in the same way as it has always been done, and will not have access to any perks that come from DeepMind's experimental AI-based approach to patient data management.
The ICO will be checking up on the NHS to ensure compliance, and has asked the foundation to establish a concrete legal framework surrounding this trial as it pertains to the Data Protection Act. To this end, a "privacy impact assessment" will be completed, and specific, universal steps will be outlined for transparency and compliance, meant to be used for future arrangements of this sort. The ICO has also ordered the NHS to perform an audit of this particular experiment, and will have the option to release the information to the public at its discretion. All of this data will be used in order to help keep future experiments of this nature compliant from the start, and to ensure that the law does not stand in the way of future innovation.