Royal Free NHS Trust – Google DeepMind trial failed to comply with data protection law

Wizuda case study: NHS illegally handed Google over 1.6 million patient records

Wizuda’s CTO – Shane O’Keeffe explains how using pseudonymisation can speed up medical research programs whilst avoiding embarrassing data protection issues.

The recent high profile case brought by the ICO in the UK found that the NHS illegally handed Google over 1.6 million patient records. The Trust provided the personal data as part of a trial to test an alert, diagnosis and detection system for acute kidney injury.  An ICO investigation found several shortcomings in how the data was handled, including that patients were not adequately informed that their data would be used as part of the test.

One of the key findings from the ICO’s report on the case is:

In this case, we haven’t been persuaded that it was necessary and proportionate to disclose 1.6 million patient records to test the application.’

The simple fact is that it wasn’t necessary to use actual patient records in the test phase. With intelligent use of pseudonymisation it’s a straightforward task to produce meaningful data to allow for full testing of new software and processes. It’s something that we’ve been doing at Wizuda for our clients across Europe and the Middle East for several years.

One example is a large research institute in the Middle East who conceived a project to identify and map overlapping social groups using mobile call detail records. Call detail records can contain a large amount of sensitive personal information including phone numbers and call location information. To overcome this, the originator of the data uses the Anonymisation module of Wizuda to pseudonymise the data to ensure that the data received by the research institute remained useful while removing the ability for anyone to trace the data back to the individuals.

Our software allows for consistent replacement of values with the same tokens both within a dataset and across multiple sets of data using customisable lookup lists. By consistently replacing sensitive values in each batch of data with the same tokens, the researchers could build their profiles without having the overheads of securing and managing large datasets of sensitive and personally identifiable information.

The creation of anonymised or pseudonymised data usually requires significant analysis to ensure the output data is both secure and useful but with Wizuda’s Anonymisation module, the process of creating those datasets is quick and intuitive. Processing of large datasets can be scheduled and distributed to ensure optimal performance even if data is being processed in a real-time environment.

It’s now clear that even highly laudable medical research programs have to follow the law with regard to data protection. Building the use of pseudonymisation into Privacy Impact Assessments at the start of any program will certainly help speed up the testing stage and allows program owners time to assess what, if any, level use of actual personal data should be rolled out over time as and when patients consent is obtained.

If you’d like to find out more about Wizuda’s solutions in this area please contact us for more information.

the challenge - wizuda case studies

The board of a multinational medical device organisation required a secure, cloud-based solution which facilitated virtual board member collaboration on key documents in preparation for monthly board meetings.

The documentation was regularly of a highly commercially sensitive nature, largely relating to ongoing clinical trials, and as such demanded a secure and encrypted platform which could be implemented without the engagement of internal IT resources.

Key challenges that need to be  considered:

  • Geographically dispersed stakeholders
  • Highly commercially sensitive documentation
  • No internal IT involvement
  • Multiple stakeholders required to collaborate on
    single documents
the solution- wizuda case studies

Wizuda MFT gave them a centralised view of all their file transfer activities and a network overview of the data flows. IT now had instantly available reporting and could provide geographic maps and network overviews to senior management of all file transfer activities in the organisation. These could also be categorised in ways that made sense for the business from a priorities perspective. Wizuda’s unique ‘Health Check’ dashboard with automated monitoring and alerts, allowed them to manage all transfer operations proactively and ensured they were always on top of any issues.

From a GDPR compliance perspective, transfers could be linked to Data Protection Impact Assessments were required and data could be anonymised as part of the transfer process. Wizuda MFT enabled them to apply the latest security protocols for file transfers and encrypt data at rest and in transit. Passing cyber-security and GDPR compliance audits became a lot easier.

About Wizuda

Developing IT Solutions to Make Businesses Better

At Wizuda we focus on developing IT solutions which help businesses grow and empower people to collaborate and stay connected securely and compliantly. Specialists in secure data transfer since 2001, all development and support operations are carried out from our two Irish 

offices located in Dublin (Wizuda Headquarters) and Limerick. We pride ourselves in developing software solutions that allow organisations to take back control of their file transfer and data sharing operations, enabling them to operate efficiently, securely and compliantly

Quick Contact