Implied consent ‘not an appropriate legal basis’ for sharing 1.6 million patient records with DeepMind
Leaked letter from government's national data guardian Fiona Caldicott says patient records were being used to test and develop Streams app - not for direct care
The legal basis that Google’s DeepMind and London’s Royal Free NHS Trust used to justify granting access to 1.6 million patient records was not appropriate, according to the UK’s national data guardian for health, Fiona Caldicott.
The healthcare arm of Google's artificial intelligence company is working with the Royal Free to use patient data to develop an app, Streams, that will help doctors and nurses identify - and prioritise - patients at risk of acute kidney injury.
The project, launched in early 2016, came under fire when it was revealed that the data-sharing agreement gave the company access to a range of identifiable healthcare data on the 1.6 million patients passing through the hospitals each year.
Although the work was paused - later to be restated in November 2016 under a new agreement and a commitment from DeepMind to be more open with the public - the initial agreement is under investigation by the UK’s data watchdog, the Information Commissioner’s Office.
As part of this, the ICO asked Caldicott - who has written three reports into patient data sharing and consent within the health service - to give her opinion on the agreement.
This was reported to the ICO and the Royal Free in February, but was not made public until this week, when a letter to Stephen Powis, the medical director of the Royal Free Hospital in London, was leaked to Sky News.
In it, Caldicott noted that the company and trust had said that the basis for sharing the data was implied consent, because it was for the purposes direct care.
But, she said, the data was being used to test and develop the Streams app, and could not be regarded as direct care, meaning it wasn’t appropriate to use the legal basis of implied consent.
“It is my view, and that of my panel that the purpose for the transfer of 1.6 million identifiable patient records were only used for the testing of Streams application, and not for the provision of direct care to patients,” she said.
Caldicott added that she “did not believe that when the patient data was shared with Google DeepMind, implied consent for direct care was an appropriate legal basis”, and that it was her “considered opinion” that patients would not have reasonably expected their records to be used in this way.
“My view is that when work is taking place to develop new technology this cannot be regarded as direct care, even if the intended end result when the technology is deployed is to provide direct care,” the letter stated.
“Implied consent is only an appropriate legal basis for the disclosure of identifiable data for the purposes of direct case if it aligns with people’s reasonable expectations.”
Elsewhere in her letter, Caldicott stresses that both she and her panel “keenly appreciate the great benefits that new technologies such as Streams can offer to patients, in terms of better, safer, more timely care”.
And, although the letter does not raise any issues with the way the app - which has been in full use since January this year - is currently working, it said that the full benefits of innovative technologies will not be realised unless unless the use of patient data is done in “a transparent and secure manner, which helps to build public trust”.
Royal Free: 'NHS remained in full control of patient data'
In a statement sent to PublicTechnology, a spokesperson for the Royal Free said that the partners took a “safety-first approach”, by testing Streams with real patient data to make sure it presented the information accurately before using it in a live setting.
“Real patient data is routinely used in the NHS to check new systems are working properly before turning them fully live,” the spokesperson said. “No responsible hospital would ever deploy a system that hadn't been thoroughly tested. The NHS remained in full control of all patient data throughout.”
However, they added the hospital took Caldicott’s decision “seriously”, and acknowledged that, as the project was “one of the first of its kind in the NHS”, there were “always lessons we can learn”.
This point was also picked up on by Caldicott in her letter, which said that further guidance for organisations developing new technologies “would be useful” and that the Department of Health was “looking closely at the regulatory framework and guidance” it provides on this.
The letter was also sent to the ICO, to feed into its investigation, which the organisation said in a statement was nearly finished.
“Our investigation into the sharing of patient information between the Royal Free NHS Trust and Deep Mind is close to conclusion,” the statement said.
“We continue to work with the National Data Guardian and have been in regular contact with the Royal Free and Deep Mind who have provided information about the development of the Streams app. This has been subject to detailed review as part of our investigation. It’s the responsibility of businesses and organisations to comply with data protection law.”
Taking a punt on a start-up is better than explaining costly failures to the Public Accounts Committee, according to Daniel Korski
A fresh look at data protection and backup best practice, particularly when it comes to ransomware.
Des Ward, information governance director at Innopsis, reflects on the real story behind the WannaCry cyber-attack.
South East police force is looking for a supplier to build a new digital asset management system that could be rolled out right across the UK
BT will launch a new project with See.Sense, an innovative cycling company from Northern Ireland, to provide cyclists with sensor-enabled bike lights
BT's Phil Brunkard on technological innovation and how it's affecting the public sector
BT's Phil Brunkard on brain implants, parking spaces, and takeaways from BT Innovation Week