London’s Royal Free hospital failed to comply with the Data Protection Act when it handed over personal data of 1.6 million patients to DeepMind, a Google subsidiary, according to the Information Commissioner’s Office.

The data transfer was part of the two organisation’s partnership to create the healthcare app Streams, an alert, diagnosis and detection system for acute kidney injury. The ICO’s ruling was largely based on the fact that the app continued to undergo testing after patient data was transferred. Patients, it said, were not adequately informed that their data would be used as part of the test.

“Our investigation found a number of shortcomings in the way patient records were shared for this trial,” said Elizabeth Denham, the information commissioner. “Patients would not have reasonably expected their information to have been used in this way, and the Trust could and should have been far more transparent with patients as to what was happening.

“We’ve asked the Trust to commit to making changes that will address those shortcomings, and their co-operation is welcome. The Data Protection Act is not a barrier to innovation, but it does need to be considered wherever people’s data is being used.”

The ICO ruled that testing the app with real patient data went beyond Royal Free’s authority, particularly given how broad the scope of the data transfer was. “A patient presenting at accident and emergency within the last five years to receive treatment or a person who engages with radiology services and who has had little or no prior engagement with the Trust would not reasonably expect their data to be accessible to a third party for the testing of a new mobile application, however positive the aims of that application may be,” the office said in its findings.

While privacy campaigners were hoping the ruling would touch on the continued use of patient data for the production version of Streams, the ICO was muted on the live use of Streams in a clinical environment, but warned that “concerns regarding the necessity and proportionality of the use of the sensitive data of 1.6 million patients remain”.

The Royal Free has been asked to commission a third-party audit of the trial following the ruling, complete a privacy assessment, set out how it will better comply with its duties in future trials and establish a proper legal basis for the DeepMind project.

In a statement, the hospital trust said: “We are pleased that the information commissioner … has allowed us to continue using the app which is helping us to get the fastest treatment to our most vulnerable patients – potentially saving lives.

“We accept the ICO’s findings and have already made good progress to address the areas where they have concerns. For example, we are now doing much more to keep our patients informed about how their data is used. We would like to reassure patients that their information has been in our control at all times and has never been used for anything other than delivering patient care or ensuring their safety.”

The ruling does not directly criticise DeepMind, a London-based AI company purchased by Google in 2013, since the ICO views the Royal Free as the “data controller” responsible for upholding the data protection act throughout its partnership with Streams, with DeepMind acting as a data processor on behalf of the trust.

In a blogpost, the company said: “We welcome the ICO’s thoughtful resolution of this case, which we hope will guarantee the ongoing safe and legal handling of patient data for Streams.

“Although today’s findings are about the Royal Free, we need to reflect on our own actions too. In our determination to achieve quick impact when this work started in 2015, we underestimated the complexity of the NHS and of the rules around patient data, as well as the potential fears about a well-known tech company working in health.

“We were almost exclusively focused on building tools that nurses and doctors wanted, and thought of our work as technology for clinicians rather than something that needed to be accountable to and shaped by patients, the public and the NHS as a whole. We got that wrong, and we need to do better.”

The company highlighted a number of changes it had made since the launch of Streams, including a significant increase in transparency, and the creation of a independent health review board.

Streams has since been rolled out to other British hospitals, and DeepMind has also branched out into other clinical trials, including a project aimed at using machine-learning techniques to improve diagnosis of diabetic retinopathy, and another aimed at using similar techniques to better prepare radiotherapists for treating head and neck cancers.