A UK hospital did not do enough to protect the privacy of patients when it shared data with Google, the UK's Information Commission (ICO) has ruled.
The ICO censured the Royal Free NHS Foundation Trust about data handed over during tests of a novel way to detect kidney injuries.
Among other failings, the ICO said the hospital did not tell patients enough about the way their data was used.
The trust said it would tackle "shortcomings" in its data-handling.
Details on about 1.6 million patients was provided to Google's DeepMind division during the early stages of an app test last year.
The information was used to develop and refine an alert, diagnosis and detection system that can spot when patients are at risk of developing acute kidney injury (AKI). The result was an app called Streams, designed to help doctors spot patients at risk of AKI
In a statement, information commissioner Elizabeth Denham said attempts to make creative use of data had to be carefully managed.
"The price of innovation does not need to be the erosion of fundamental privacy rights," she said.
The trust has not been fined as a result of the investigation, instead it has signed an undertaking to make changes to the way it handles data.
The trust has pledged to:
- sort out the legal basis for future trials with DeepMind and other companies
- set out how it will meet its duty of confidence to patients in future trials
- assess the impact the trial has had on privacy
- audit the trial to see how it performed and share the details with the ICO
In a statement, the Royal Free said it had co-operated fully with the ICO's investigation and welcomed the guidance it had received on the best way to use patient data in future trials.
It added that it was "pleased" that the ICO had let it continue using the Streams app to help patients.
"We accept the ICO's findings and have already made good progress to address the areas where they have concerns," it said.
"We passionately believe in the power of technology to improve care for patients and that has always been the driving force for our Streams app."
In a statement, Google said it welcomed the "thoughtful resolution" of the case and added that it would reflect on its involvement with the hospitals.
"We underestimated the complexity of the NHS and of the rules around patient data, as well as the potential fears about a well-known tech company working in health," wrote Dominic King, DeepMind's clinical lead on health, and Mustafa Suleyman, DeepMind's co-founder.
The statement said the AI division had concentrated on building tools for clinicians rather than thinking about how the project should be shaped by the needs of patients and the public.
"We got that wrong, and we need to do better," they wrote and then went on to outline steps the division would take to make sure future trials took more notice of privacy worries.
The deal between the Royal Free and DeepMind first became public in February 2016 and caused controversy over the amount of patient information being shared without public consultation.
In March this year, an academic report into the way patient data had been handled found "inadequacies" in the way information had been handed over.
The authors said that it was "inexcusable" that patients had not been told about what had been happening to their data.
At the time, Google DeepMind said the report had "major errors" that misrepresented the way it and the Royal Free had used data.