ICO Ruling on NHS Trust unnecessarily exposing patient data proves need for encryption

This week’s ruling from the UK’s Information Commissioners Office (ICO), that found the Royal Free NHS Foundation Trust did not do enough to protect the privacy of patients when it shared data with Google, has significant implications for Trusts that want to take advantage of using third party application providers and researchers for improving patient care.

The Royal Free NHS Foundation Trust, in a bid to come up with a more innovative way to create an early diagnosis warning for patients developing acute kidney injury, handed over the data of approximately 1.6 million patients to Google’s DeepMind AI research division to be used to build an application called Streams.

The ICO ruled that patients were not informed sufficiently about the use of their data and gave the Trust recommendations, not fines, to help it make significant changes to the way it handles private patient data – including to assess legalities of future trials and the consequences to patient privacy.

While there can be no doubt about the importance of medical trials for advances in patient care, it should never be at the expense of someone’s privacy – and using an app to collect medical data puts that privacy at risk. From the moment the data leaves the Trust to go to the third party, it is at risk unless data protection measures are put in place to help keep data anonymised.

Moving forward, technology that encrypts or tokenises Personally Identifiable Information (PII) should be implemented to guarantee that patient’s most private data is kept anonymous from all entities outside of the NHS Trust. With solutions like the eperi Gateway, it is possible to anonymise certain PII data fields so that the third party only has access to the data that it needs to carry out its analysis.

Importantly, to offer patients the utmost assurance that their data is safe, the encryption keys should be held within the Trust itself.

Innovation is of course going to further medicine and help save lives, and this is clearly a case of the Trust having a great idea that they wanted to run with in order to ultimately improve patient care and help early diagnosis for a painful condition. In this day and age, however, data is at a premium for hackers and cybercriminals who can use people’s personal information for all manner of crime and so it has to move to top of mind for all industries, especially healthcare. Encrypting and protecting the data itself is a sure-fire way to prevent exposure, because even if the criminal is able to get a hold of it, there is no way to read it without the decryption key.