The Royal Free NHS Trust/DeepMind Data Breach

[Name Removed] made this Freedom of Information request to Information Commissioner's Office This request has been closed to new correspondence. Contact us if you think it should be reopened.

The request was successful.

Dear Information Commissioner’s Office,

Could you please process the following freedom of information request:

1. In 2017, you ruled that the Royal Free NHS Trust had breached the Data Protection Act, by passing confidential data to Deepmind, without patient consent. What criteria of patient data was shared between these organisations (for example, was it everyone who visited the Royal Free Trusts A&E departments or everyone with particular health conditions or that had received specific treatment or other)?
2. Were the patients who data was breached informed by either your organisation or by the Royal Free NHS Trust?
3. If the patients in question were not informed, can you please clarify who took that decision, the justification for that decision and the reasons why they were not informed?
4. If somebody wanted to know if their data had been shared and had requested this from The Royal Free NHS Trust, but felt they may not have been truthful in their response, what action can you take?
5. Does your organisation hold the names of all patients who had their data breached by The Royal Free?

Thank you.

Yours faithfully,

[personal information removed] [personal information removed]

AccessICOinformation, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

 

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply

 

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

 

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

 

If you have requested advice - we aim to respond within 14 days.

 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

 

Copied correspondence - we do not respond to correspondence that has been
copied to us.

 

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

 

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

 

Yours sincerely

 

The Information Commissioner’s Office

 

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found at
[2]http://www.ico.org.uk/tools_and_resource...

 

Twitter

Find us on Twitter at [3]http://www.twitter.com/ICOnews

 

References

Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. http://www.ico.org.uk/tools_and_resource...
3. http://www.twitter.com/ICOnews

Information Commissioner's Office

21 June 2018

 

Case Reference Number IRQ0748752

 

Dear Ms [personal information removed]

Thank you for your recent request for information. We received your
request on 23 May.
 
We have considered your request under the Freedom of Information Act 2000.
 
Your request
 
1. In 2017, you ruled that the Royal Free NHS Trust had breached the Data
Protection Act, by passing confidential data to Deepmind, without patient
consent. What criteria of patient data was shared between these
organisations (for example, was it everyone who visited the Royal Free
Trusts A&E departments or everyone with particular health conditions or
that had received specific treatment or other)?
 
2. Were the patients who data was breached informed by either your
organisation or by the Royal Free NHS Trust?
 
3. If the patients in question were not informed, can you please clarify
who took that decision, the justification for that decision and the
reasons why they were not informed?
 
4. If somebody wanted to know if their data had been shared and had
requested this from The Royal Free NHS Trust, but felt they may not have
been truthful in their response, what action can you take?
 
5. Does your organisation hold the names of all patients who had their
data breached by The Royal Free?
 
Our response 
 
I have responded to your requests individually, below.
 
1. High level details of the information shared can be found in the
Undertaking issued to the Royal Free London NHS Foundation Trust,
available here:
 
[1]https://ico.org.uk/media/action-weve-tak...
 
Further supplementary information is available in the accompanying letter,
which is available at:
 
[2]https://ico.org.uk/media/action-weve-tak...
 
2. To the ICO’s knowledge, patients were not directly informed about the
data sharing on an individual basis. The ICO did not make contact with
affected individuals.
 
3. Under the Data Protection Act 1998, which was the applicable
legislation at the time the information was shared, there was no specific
requirement to inform a data subject about a data incident. As you may be
aware, the General Data Protection Regulation introduces a requirement to
inform data subjects if an incident is likely to result in a high risk to
the rights and freedoms of individuals. You can find out more information
about this requirement at:
 
[3]https://ico.org.uk/for-organisations/gui...
 
 
4. In the event that an individual’s right of access had been contravened,
the ICO could consider a complaint from the affected party or their
representative. In the event that a contravention of the Act was
evidenced, the ICO would consider whether regulatory action was warranted.
More information about the rights of access can be found at:
 
[4]https://ico.org.uk/for-organisations/gui...
 
5. No, the ICO does not hold the names of all the patients whose data was
breached by the Royal Free NHS Trust.
 
As you may be aware, since your request, the Royal Free NHS Trust has
published a report concerning the audit it undertook to comply with the
undertakings that were issued by the ICO. You can access the report using
the below:
 
[5]https://www.royalfree.nhs.uk/news-media/...
 
Next steps
 
I hope this response is clear. If you would like me to clarify anything
about the way your request has been handled please contact me.
 
You can ask us to review the way we have handled your request. Please see
our review procedure [6]here.
 
Following our internal review, if you remain dissatisfied with the way we
have handled your request, there is a statutory complaints process and you
can report your concern to the regulator.

Yours sincerely,
 

 

Jessica Duckworth
Senior Information Access Officer
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0330 4146497  F. 01625 524510  [7]ico.org.uk  [8]twitter.com/iconews
Please consider the environment before printing this email
For information about what we do with personal data see our [9]privacy
notice

 
 

References

Visible links
1. https://ico.org.uk/media/action-weve-tak...
2. https://ico.org.uk/media/action-weve-tak...
3. https://ico.org.uk/for-organisations/gui...
4. https://ico.org.uk/for-organisations/gui...
5. https://www.royalfree.nhs.uk/news-media/...
6. https://ico.org.uk/media/about-the-ico/p...
7. http://ico.org.uk/
8. https://twitter.com/iconews
9. https://ico.org.uk/global/privacy-notice/