- Fotolia

ICO probes Google DeepMind patient data-sharing deal with NHS Hospital Trust

Data protection watchdog the information commissioner's office (ICO) investigates the NHS data-sharing deal with Google DeepMind, after a complaint from the public

The Information Commissioner’s Office (ICO) is investigating a patient data-sharing deal involving Google-owned artificial intelligence firm DeepMind and a London-based NHS Hospital Trust, Computer Weekly has learned.

The data protection watchdog confirmed an investigation into the arrangement is underway, on the back of at least one complaint from the general public.

The deal gives DeepMind access to the healthcare records of 1.6 million patients that pass through three hospitals in North London, which fall under the care of the Royal Free Hospital Trust.

The complaint, seen by Computer Weekly, questions whether DeepMind will be expected to encrypt the patient data it receives when at rest.

“Whilst the information-sharing agreement insists that personally identifiable information – such as name, address, post code, NHS number, date of birth, telephone number, and email addresses, etc – must be encrypted whilst in transit to Google, it does not explicitly prohibit that data being unencrypted at the non-NHS location,” the complaint read.

That said, a follow-up Q&A document, published on the Royal Free website, does state: "All information sent to and processed by DeepMind is encrypted both in transit to, and at rest within, the DeepMind Health cluster." 

Read more about Google and data protection

Patient data privacy concerns

The New Scientist broke the news of the arrangement in April 2016, prompting an outpouring of data protection concerns from privacy experts.

Concerns have been voiced particularly as the data shared includes details pertaining to the HIV status of patients, the results of pathology and radiology tests patients have undergone, and details of A&E and outpatient admissions – including drug overdoses and abortions, for example.

The publication shared a link to an eight-page document, outlining the finer points of the data-sharing arrangement. Page 5 of the contract states there is no requirement for the information passed to DeepMind to be anonymised, because it is being held for “direct patient care purposes”.

The complainant picked up on this point, stating that this could put patient privacy at risk when accessed by DeepMind researchers.

“It is usual for personal data to be pseudonymised to mask the true identity of the patient,” the complaint said.

“In this contract it explicitly states: ‘As this data is being held for direct patient care purposes, pseudonymisation is not required.’ Therefore, there is some risk that personal data could be accessed at the non-NHS location.”

The complainant said the ICO responded to the concerns raised in the letter on 10 May 2016, and confirmed that it had assigned staff to investigate the deal in more detail.  

In a statement to Computer Weekly, an ICO spokesperson backed this assertion, and said the organisation is making enquiries into the data-sharing arrangement.

“Any organisation processing or using people’s sensitive personal information must do so in accordance with Data Protection Act,” the ICO said.

At the time of writing, Computer Weekly was awaiting further confirmation from the ICO about how many complaints or queries into the deal it has received, since news of its existence first broke in April 2016.

Digging into data

The data-transfer agreement forms part of a wider collaboration between DeepMind and NHS hospitals to develop software that alerts medical staff to patients at risk of kidney failure.

Given the specific aim of the project, the complainant – in a follow-up discussion with Computer Weekly – queried why so much data unrelated to kidney failure is being shared under the terms of the deal.

Particularly, as the Data Protection Act states, that the collection of personal information must be “adequate, relevant, and not excessive”.

“Google says since there is no separate dataset for people with kidney conditions, it needs access to all of the data, but this entails a wide range of healthcare data on the 1.6million patients who pass through each year, and access to data for the previous five years,” the complainant said.

“Surely Google or the NHS should commission a pre-selection of the targeted data, so they only transfer data about the relevant patients?

“Otherwise Google will receive and hold data about patients who do not have a kidney condition, but are HIV-positive, for instance – as well as details of drug overdoses and abortions.” 

In a statement to Computer Weekly, DeepMind co-founder Mustafa Suleyman reiterated the organisation’s commitment to ensuring the data it collects is securely protected and properly used.

"We are working with clinicians at the Royal Free to understand how technology can best help clinicians recognise patient deterioration – in this case acute kidney injury (AKI),” Suleyman said.

“We have, and will always, hold ourselves to the highest possible standards of patient data protection. This data will only ever be used for the purposes of improving healthcare and will never be linked with Google accounts or products."  

Read more on IT legislation and regulation