Google’s DeepMind AI company received the records of 1.6m NHS patients on an ‘inappropriate legal basis’, according to National Data Guardian (NDG) Dame Fiona Caldicott.
In a letter to NHS Royal Free Hospital Trust’s medical director Stephen Powis, leaked to Sky News, Caldicott says that the data received from the hospital by the London-based AI research lab, without the patients’ knowledge, did not follow guidelines regarding implied consent.
The data was acquired was in regards to the development of DeepMind’s Streams mobile app – which is designed to help clinical teams identify at risk patients and treat them as quickly as possible. This data was used to perform tests on the app, and ensure it met clinical safety standards.
Legally, data can only be shared under the notion of implied consent when a patient’s records are being distributed for the purpose of ‘direct care’. In this case, the app, being still in a development phase, was not in a position to provide direct care.
“It is my view and that of my panel that the purpose for the transfer of 1.6m identifiable patient records to Google DeepMind was for the testing of the Streams application, and not the provision of direct care to patients,” Caldicott wrote. “Given that Streams was going through testing and therefore could not be relied upon for patient care, any role the application might have played in supporting the provision of direct care would have been limited and secondary to the purpose of the data transferred.”
Caldicott does note that her, and her panel, “keenly appreciate the great benefits that new technologies such Streams can offer to patients,” but this does not relate to the case in question.
Caldicott’s views have been passed on to UK data protection officer Elizabeth Denham at the Information Commissioner’s Office – and the public body is carrying out its own investigation into the sharing of patient data between the Royal Free Hospital and DeepMind.