Google DeepMind AI division alleged to have received data from 1.6m NHS patients on an ‘inappropriate legal basis’.
Concerns over how the NHS handles data have been raised after it emerged that Google’s DeepMind AI division may have wrongly been granted access to the personal records of 1.6m patients.
The UK’s top data protection adviser to the health service, national data guardian Dame Fiona Caldicott, said that DeepMind was given access to the patients’ records on an inappropriate basis.
In a letter sent to the medical director of the Royal Free Hospital, Stephen Powis, which was seen by Sky News, Caldicott concluded that the decision to share the data under implied consent was incorrect under common law.
The situation stems back to when Royal Free Hospital in London signed a controversial deal with Google last year, allowing the internet giant’s Streams AI app to be tested on the medical records of sufferers of acute kidney damage.
The objective was to help clinicians to administer life-saving treatment more efficiently.
Streams is a healthcare app developed by DeepMind, a UK business acquired by Google, that can detect if patients are suffering from acute kidney injuries and then rapidly inform clinicians so that they can receive treatment.
These concerns are particularly timely following the massive WannaCry cyberattack last week that saw 16 hospitals and 40 NHS organisations held to ransom by hackers.
Under common law, patients are “implied” to have consented to their information being shared if it was done so for the purpose of “direct care”.
However, Caldicott said that this basis may not have been valid in the arrangement.
Caldicott wrote that she “did not believe that when the patient data was shared with Google DeepMind, implied consent for direct care was an appropriate legal basis”.
She said that while she understood the potential benefits of the Streams app and that the transfer of the data of 1.6m patients was for the purpose of testing the app, the patients themselves would not have expected their data to have been shared for this reason.
The UK’s data watchdog, the Information Commissioner’s Office, is investigating whether the transfer was legal under the Data Protection Act.
Updated, 5.34pm, 16 May 2017: The original headline of this article – which read ‘Google AI arm investigated in UK over transfer of 1.6m NHS patients’ data’ – was misleading and has since been changed. The headline implied that Google DeepMind is under investigation. We wish to clarify that the data controller is the Royal Free Hospital, and, as a result, this is who is being investigated by the Information Commissioner’s Office, not DeepMind.