According to the National Data Guardian, the most senior data protection adviser to the NHS, Google’s DeepMind unit received the personally identifying medical records of 1.6 million NHS patients on an “inappropriate legal basis,” Sky News reported Tuesday. Specifically, a letter from Dame Fiona Caldicott, National Data Guardian at the Department of Health, addressed to Stephen Powis, the medical director of the Royal Free Hospital in London, which provided the patients’ records to Google DeepMind, said she had informed Royal Free and DeepMind in December that she “did not believe that when the patient data was shared with Google DeepMind, implied consent for direct care was an appropriate legal basis.”
Last February, DeepMind Technologies teamed up with the Imperial College London and the Royal Free London NHS Foundation Trust, through a venture called DeepMind Health, as part of its move into healthcare. Within the NHS, DeepMind piloted a smartphone app, called Streams, to detect patients at greatest risk of acute kidney injury. In May 2016, a report indicated that data on 1.6 million patients at London hospitals were passed to DeepMind as part of the data-sharing agreement between the artificial intelligence company and the NHS. Last November, DeepMind expanded the data-sharing partnership with the Royal Free London NHS Foundation Trust to further develop the app. At the time the parties said the first version of Streams was expected to be launched across Royal Free hospital sites in early 2017.
While Caldicott did not dispute the value of the app for patients, she explained that in her “considered opinion” the “purpose for the transfer of 1.6 million identifiable patient records to Google DeepMind was for the testing of the Streams application, and not for the provision of direct care to patients.” She added that “my considered opinion therefore remains that it would not have been within the reasonable expectation of patients that their records would have been shared for this purpose.”
Caldicott’s assessment is being considered by the UK’s Information Commissioner’s Office (ICO), which is investigating whether the transfer was legal under the Data Protection Act. The ICO said that “we continue to work with the National Data Guardian and have been in regular contact with the Royal Free and DeepMind who have provided information about the development of the Streams app.” The ICO added that its probe “is close to conclusion.”
Meanwhile, Powis noted that the testing for the Streams app has now concluded and it is being used at the Royal Free Hospital under a second agreement that is not part of the investigation. Powis said that “I think everybody’s agreed that we need to test, and when that involves patient data – and if it includes using large quantities of patient data – yes, I think we absolutely need to look at that again, collectively, everybody in the system, and we need to understand the guidance around that.”
Commenting on the matter, Dominic King, clinical lead at DeepMind, stressed that although acquired by Google, the company “operates independently,” adding “at no point has any patient data been shared with other Google products or services, or used for commercial purposes.” King continued “I think one thing that we do recognise that we could have done better is make sure that the public are really informed about how their data is used.”
In March, DeepMind Health introduced a new initiative, dubbed Verifiable Data Audit, which the company said at the time aims “to provide the health service with technology that can help clinicians predict, diagnose and prevent serious illnesses.”
Ref: Business Insider, Financial Times, The Independent, BBC News, Bloomberg, The Guardian, Sky News