The U.K.’s data protection watchdog has finally shared the results of its lengthy investigation into DeepMind’s original deal with the NHS. According to the Information Commissioner’s Office, the Royal Free NHS Foundation Trust failed to comply with the Data Protection Law with its deal with Google’s DeepMind.

The Trust originally agreed to share 1.6 million patients’ medical records with DeepMind to work on an alert system for acute kidney injuries.

The Trust will have to change how it works with DeepMind in order to comply with the law. In particular, they need to establish “a proper legal basis” and share more information about how it handles patients’ privacy.

This deal has caused a ton of controversy. TechCrunch’s Natasha Lomas has covered the fallback extensively. The ICO is only ruling on the first information-sharing agreement as DeepMind has revised its information-sharing agreements with other NHS Trusts.

The investigation started in May 2016 with two important concerns. First, health data is sensitive and should be handled with extreme caution. Second, the Trust hasn’t properly informed its patients that this information-sharing agreement was happening.

So the Trust will have to fix this lack of transparency and work between the boundaries of the Data Protection Law. The Trust also must commission an audit on the trial with DeepMind. The results of the audit will be shared with the data protection watchdog.

The Trust has released a statement on its website: “We accept the ICO’s findings and have already made good progress to address the areas where they have concerns. For example, we are now doing much more to keep our patients informed about how their data is used. We would like to reassure patients that their information has been in our control at all times and has never been used for anything other than delivering patient care or ensuring their safety.”

DeepMind has appointed a group of independent reviewers to look at the deal, as well. You can expect to hear more from those reviewers in the coming days, even though it doesn’t have any legal value.

Here’s Information Commissioner Elizabeth Denham’s full statement:

“There’s no doubt the huge potential that creative use of data could have on patient care and clinical improvements, but the price of innovation does not need to be the erosion of fundamental privacy rights. Our investigation found a number of shortcomings in the way patient records were shared for this trial. Patients would not have reasonably expected their information to have been used in this way, and the Trust could and should have been far more transparent with patients as to what was happening. We’ve asked the Trust to commit to making changes that will address those shortcomings, and their co-operation is welcome. The Data Protection Act is not a barrier to innovation, but it does need to be considered wherever people’s data is being used.”

The ICO also has published a blog post, reminding everyone why privacy is important and the key lessons of this investigation.