Access to National Health Service records of 1.5 million patients was granted to Google's DeepMind AI on an "inappropriate legal basis," according to a top U.K. N.H.S. data protection advisor.

National Data Guardian Dame Fiona Caldicott — charged with oversight of the way that N.H.S. manages patient records in deals with private firms — has now sent a letter expressing that concern to Stephen Powis, medical director of the Royal Free Hospital in London.

Caldicott, who was part of an investigation into the “controversial” arrangement, wrote in her letter, released Monday by Sky News, that “my view is that when work is taking place to develop new technology this cannot be regarded as direct care, even if the intended end result, when the technology is deployed, is to provide direct care. Implied consent is only an appropriate legal basis for the disclosure of identifiable data for the purposes of direct care if it aligns with people's reasonable expectations, i.e. in a legitimate relationship.”
Identifiable patent data is protected in the U.K., as it is in the U.S. That said, while common law does grant “implied consent” by the patient when the data is used for “direct care,” Caldicott has challenged that giving DeepMind identifiable patient records fell under that use.

At issue is a deal between the search giant and the Royal Free Hospital signed in 2016, that provided the data so that Google's DeepMind could test its Streams AI app using information from those with acute kidney damage.

Streams can analyze patient data and potentially identify patients that are deteriorating so that they can receive lifesaving care more quickly.

Powis had stressed, according to Sky News, that "a quarter of deaths from (acute kidney injuries) are preventable if clinicians are able to intervene earlier and more effectively."

In the deal agreement, both parties stated that, “information sharing between organisations must always be consistent with the Caldicott principles.”

These include adequate justification for using confidential information, to use only when it is absolutely necessary; to use the minimum; to provide access on a strict need-to-know basis; an understanding by everyone of their responsibilities; and to understand and comply with the law.

When the deal was cut, the hospital “told the NHS data adviser that the Google app "is not currently in use," adding that "only small-scale testing of the preproduction prototype version of Streams has taken place to date," according to Caldicott's letter. Google was still working on the beta of the app at that point and doing “clinical safety verification,” according to the technology news site Ars Technica UK.

Health IT Homepage