What happened

In 2015, the Royal Free London NHS Foundation Trust entered a partnership with Google’s DeepMind to develop and deploy the Streams mobile application, designed to help clinicians detect acute kidney injury more rapidly. As part of this collaboration, the trust transmitted identifiable patient data, including names, NHS numbers, dates of birth and clinical information for roughly 1.6 million patients, to DeepMind for testing and development of the app. 

The UK Information Commissioner’s Office investigated following public complaints and media scrutiny, ruling in July 2017 that the data sharing “failed to comply with the Data Protection Act” because patients were not adequately informed and the trust lacked a proper legal basis for processing their records for the app’s development and testing, not solely for direct patient care.

While no fines were imposed at that time, the ICO required the trust to commit to corrective actions, including conducting a privacy impact assessment, commissioning an independent audit of the trial, and establishing a lawful basis for future data processing.

Why it happened

The incident was driven by a "rush to innovate" that bypassed established regulatory safeguards.

• Transparency failures: Both the Trust and DeepMind operated with a lack of openness, with the deal only coming to light after an investigation by New Scientist in 2016.

• Accountability gaps: DeepMind admitted they "underestimated the complexity of the NHS" and focused almost exclusively on building tools for clinicians while ignoring their accountability to the public.

• Corporate ambition: Critics argued that DeepMind sought to "prove" its general AI capabilities and secure a foothold in the lucrative healthcare market by using a "one-way mirror" approach—gaining access to public data without allowing the public to track how that data influenced corporate decision-making or commercial products.