NHS
The National Health Service shared partial data for 1.6 million patients with DeepMind. Getty

A British regulatory organization has found that the National Health Service violated data privacy laws when it shared patient records with Google’s DeepMind artificial intelligence startup.

In a statement announcing its findings, the Information Commissioner's Office said the Royal Free NHS Foundation Trust did not comply with the Data Protection Act when it provided partial records for more than 1.6 million patients to DeepMind. The data was originally provided to help bolster DeepMind’s Streams app and improve detection of acute kidney injury and other medical problems.

Read: Google's DeepMind Partners With UK's National Health Service

However, the Information Commissioner’s Office found that the Foundation Trust should have taken additional measures to inform patients about the data use. In its release, commissioner Elizabeth Denham said Streams and DeepMind’s work had clear benefits, but the Trust should have been clearer about the amount of data it needed and the reasons it wanted patient data.

“We’ve asked the Trust to commit to making changes that will address those shortcomings, and their cooperation is welcome,” Denham said. “The Data Protection Act is not a barrier to innovation, but it does need to be considered wherever people’s data is being used.”

In its official findings, the Commissioner’s Office further detailed where the Trust violated the Data Protection Act. Officials found that the Trust did not do enough under the law to inform patients that their data was being used and argued that the 1.6 million patient records were an excessive amount of personal data to pull for its testing.

Additionally, patients traditionally have a legal right under the Data Protection Act to opt out of having their data used for testing. With the Trust’s lack of outreach to patients, few were able to exercise this right. Finally, regulators found that DeepMind and the Trust had minimal policies in place that focused on securing and protecting personal user data during its 2015 launch, though the Commissioner’s Office found that policies had been improved considerably since then.

DeepMind is a British artificial intelligence company that was acquired by Google in 2014. The company has worked to apply experimental artificial intelligence in a variety of areas related to the field and machine learning.

Read: Artificial Intelligence: Google's DeepMind Creates Neural Network

The Commissioner’s Office wants the Trust to follow several updated guidelines, including improving its testing transparency and how it handles patient data. In its own statement, the Trust said it agrees with the commission’s findings and will apply them in the future.

“We accept the ICO’s findings and have already made good progress to address the areas where they have concerns,” the Trust said. “For example, we are now doing much more to keep our patients informed about how their data is used. We would like to reassure patients that their information has been in our control at all times and has never been used for anything other than delivering patient care or ensuring their safety.”