Google accessed NHS health records on 'inappropriate legal basis': official

May 17, 2017
by Thomas Dworetzky, Contributing Reporter
Access to National Health Service records of 1.5 million patients was granted to Google's DeepMind AI on an "inappropriate legal basis," according to a top U.K. N.H.S. data protection advisor.

National Data Guardian Dame Fiona Caldicott — charged with oversight of the way that N.H.S. manages patient records in deals with private firms — has now sent a letter expressing that concern to Stephen Powis, medical director of the Royal Free Hospital in London.

Caldicott, who was part of an investigation into the “controversial” arrangement, wrote in her letter, released Monday by Sky News, that “my view is that when work is taking place to develop new technology this cannot be regarded as direct care, even if the intended end result, when the technology is deployed, is to provide direct care. Implied consent is only an appropriate legal basis for the disclosure of identifiable data for the purposes of direct care if it aligns with people's reasonable expectations, i.e. in a legitimate relationship.”

Identifiable patent data is protected in the U.K., as it is in the U.S. That said, while common law does grant “implied consent” by the patient when the data is used for “direct care,” Caldicott has challenged that giving DeepMind identifiable patient records fell under that use.

At issue is a deal between the search giant and the Royal Free Hospital signed in 2016, that provided the data so that Google's DeepMind could test its Streams AI app using information from those with acute kidney damage.

Streams can analyze patient data and potentially identify patients that are deteriorating so that they can receive lifesaving care more quickly.

Powis had stressed, according to Sky News, that "a quarter of deaths from (acute kidney injuries) are preventable if clinicians are able to intervene earlier and more effectively."

In the deal agreement, both parties stated that, “information sharing between organisations must always be consistent with the Caldicott principles.”

These include adequate justification for using confidential information, to use only when it is absolutely necessary; to use the minimum; to provide access on a strict need-to-know basis; an understanding by everyone of their responsibilities; and to understand and comply with the law.

When the deal was cut, the hospital “told the NHS data adviser that the Google app "is not currently in use," adding that "only small-scale testing of the preproduction prototype version of Streams has taken place to date," according to Caldicott's letter. Google was still working on the beta of the app at that point and doing “clinical safety verification,” according to the technology news site Ars Technica UK.

The hospital stressed that at that point the app Streams, "was not, and will not be relied on for patient care until this process has concluded," the site reported.

Powis responded to the input by stating that, “we have been very grateful to Dame Fiona for her support and advice during this process and we would absolutely welcome further guidance on this issue,” according to Sky News.

Caldicott wrote that she had offered her thoughts to the Information Commissioner's Office (ICO), which is the overseer of data for the U.K.

That group is now considering the legality of the deal under the the Data Protection Act, and told Sky News that it is “close to conclusion" in its investigation.

"We continue to work with the National Data Guardian and have been in regular contact with the Royal Free and DeepMind, who have provided information about the development of the Streams app," the ICO told the news channel.

DeepMind's clinical chief, Dr. Dominic King, sought to assure all involved, telling Ars Technica UK that, “at no point has any patient data been shared with other Google products or services, or used for commercial purposes,” adding that, "I think one thing that we do recognize that we could have done better is make sure that the public are really informed about how their data is used."