A British hospital trust misused patient data when it shared information with Google for work on a smartphone app to help detect kidney injuries, a British data protection watchdog has found.
The Royal Free NHS Trust failed to comply with the Data Protection Act when it passed on personal information of around 1.6 million patients to Google's DeepMind.
"There's no doubt the huge potential that creative use of data could have on patient care and clinical improvements, but the price of innovation does not need to be the erosion of fundamental privacy rights," Elizabeth Denham, head of the Information Commissioner's Office (ICO), said in a statement.
The data was provided in a medical trial that integrated information from existing systems used by the Royal Free to alert clinicians when signs of deterioration in a patient with acute kidney injury (AKI) were found.
The investigation found that many patients did not know their data was being used as part of a test.
"We accept the ICO's findings and have already made good progress to address the areas where they have concerns," the trust said in a statement.
As a result, the trust has signed a document agreeing to make change to the way it handles data.
Although the ICO's findings related to the hospital, Google's artificial intelligence arm has also taken responsibility, admitting it underestimated the complexity of Britain's state-run National Health Service and the rules around patient data.
"We were almost exclusively focused on building tools that nurses and doctors wanted, and thought of our work as technology for clinicians rather than something that needed to be accountable to and shaped by patients, the public and the NHS as a whole," Google DeepMind said in a statement.
"We got that wrong, and we need to do better."