- Fotolia

Google DeepMind patient data-sharing based on inappropriate legal grounds, says Caldicott

National data guardian for health and care says the NHS data-sharing deal with Google DeepMind, which relied on implied consent from patients, was made on an inappropriate legal basis

The controversial data-sharing deal between the Royal Free Hospital NHS Foundation Trust and Google-owned artificial intelligence firm DeepMind has come under fire from national data guardian Fiona Caldicott.

The arrangement gives DeepMind access to the identifiable healthcare records of 1.6 million patients in order to test its Streams application. But in a letter to Royal Free medical director Stephen Powis, which was first leaked to Sky News, Caldicott expressed her concern that the legal basis for sharing the data was not appropriate.

In the letter, she told Powis that she had informed the hospital in December 2016 that she did not believe “that when the patient data was shared with Google DeepMind, implied consent for direct care was an appropriate legal basis”.  

In May last year, the Information Commissioner’s Office (ICO) launched an investigation into the deal after receiving complaints from the public. The ICO consequently asked Caldicott to provide advice on the use of implied consent, which means that patients are not asked to consent to the data being used each time.

In her letter, Caldicott said that as the data was being used to test the app and not for direct patient care, her opinion remained that “it would not have been within the reasonable expectation of patients that their records would have been shared for this purpose”.

The Streams app aims to help clinicians identify those at risk of acute kidney injury (AKI) by sending alerts to doctors and nurses, helping them to prioritise those who need immediate intervention.

DeepMind aims to use the data to develop and test the app, which Caldicott said “could not be regarded as direct care, even if the intended end result when the technology is deployed is to provide direct care”.

“Implied consent is only an appropriate legal basis for the disclosure of identifiable data for the purposes of direct care if it aligns with people’s reasonable expectations, such as in a legitimate relationship,” she said in the letter.

Read more about NHS data-sharing

  • NHS National Services Scotland has launched its Spire system, sharing anonymised patient data for research purposes. 
  • A data-sharing agreement between a Google-owned firm and the Royal Free NHS trust raises privacy concerns, despite assurances that Google cannot use the data.

Privacy campaign group MedConfidential coordinator Phil Booth said DeepMind had “no legal basis for the project”.

“This letter shows that Google DeepMind must know it had to delete the 1.6 million patient medical records it should never have had in the first place,” he said. “There were legitimate ways for DeepMind to develop the app they wanted to sell. Instead they broke the law, and then lied to the public about it. 

“Every flow of patient data in and around the NHS must be safe, consensual and transparent. Patients should know how their data is used, including for possible improvements to care using new digital tools. Such gross disregard of medical ethics by commercial interests – whose vision of ‘patient care’ reaches little further than their business plan – must never be repeated.”

On its website, DeepMind said it had learned lessons from the project, including that it should have announced its plans before “our first hospital partnership”.

“We should also have done more to engage with patients and the public at that time, including by proactively providing information about how patient data would be processed, and the safeguards around it,” DeepMind said.

It added that it had taken steps to become “the most transparent company working in NHS IT” and would use its website to publish future contracts with NHS hospitals.

The original complaint sent to the ICO, seen by Computer Weekly, questioned whether DeepMind would be expected to encrypt the patient data it received when at rest.

“While the information-sharing agreement insists that personally identifiable information – such as name, address, postcode, NHS number, date of birth, telephone number and email addresses – must be encrypted while in transit to Google, it does not explicitly prohibit that data being unencrypted at the non-NHS location,” the complaint read.

A follow-up document published on the hospital’s website said all information sent to and processed by DeepMind “is encrypted both in transit to, and at rest within, the DeepMind Health cluster”.

Read more on Healthcare and NHS IT