NHS patients’ data illegally given to Google


The transfer of 1.6 million NHS patients’ personally identifying data to Google was illegal, according to the UK’s data watchdog.

The Royal Free NHS Trust gave the data to Google DeepMind, the artificial intelligence arm of Google, for the purpose of testing a smartphone app called Streams – and did so without requesting the patients’ permission.

In doing so it “failed to comply with the Data Protection Act” the Information Commissioner’s Office (ICO) ruled today, following the conclusion of a long investigation into the deal.

Data belonging to a 1.6 million patients, some of whom had simply attended A&E within the last five years, was given to Google to test a smartphone app which could detect acute kidney injuries (AKIs).

The watchdog stated that those patients did not consent to the transfer, and that the justification offered by Royal Free and DeepMind was unlawful.

Although the regulator has the power to issue monetary penalties of hundreds of thousands of pounds, it chose to recognise a dearth of guidance from the Department of Health in demanding that Royal Free commit to make changes to address its shortcomings.

Elizabeth Denham, the information commissioner, said that while there was “huge potential” in the use of patient data to deliver clinical improvements, “the price of innovation does not need to be the erosion of fundamental privacy rights”.

The ruling follows a Sky News investigation in May which revealed that the most senior data protection adviser to the NHS, Dame Fiona Caldicott, had warned the ICO that patients’ data had been transferred to Google on an “inappropriate legal basis”.

At the time of the Sky News investigation, Royal Free’s Professor Stephen Powis said: “We have been very grateful to Dame Fiona for her support (and) advice during this process and we would absolutely welcome further guidance on this issue.”

Royal Free Hospital said it would “consider” the ICO’s findings when they were released. In a statement today, the Trust said: “We accept the ICO’s findings and have already made good progress to address the areas where they have concerns.”

DeepMind, originally a British business that was acquired by Google in 2014, received the data to test a smartphone app called Streams which could detect if patients were suffering from AKIs and then rapidly inform clinicians so that those patients’ could receive potentially life-saving treatment.

The testing for the Streams app has now concluded and the app itself is being used at the Royal Free Hospital under a second agreement which is not being investigated by the ICO.

In a statement released on its site, DeepMind said it welcomed “the ICO’s thoughtful resolution of this case, which we hope will guarantee the ongoing safe and legal handling of patient data for Streams”.

“Although today’s findings are about the Royal Free, we need to reflect on our own actions too,” the company stated.

“In our determination to achieve quick impact when this work started in 2015, we underestimated the complexity of the NHS and of the rules around patient data, as well as the potential fears about a well-known tech company working in health.”

In response to critics alleging that it had not sought NHS patients’ permission to receive their data, DeepMind appointed nine “Independent Reviewers” to judge its handling of patients’ data.

DeepMind claims it appointed the independent reviewers “long before any regulatory or media criticism”. A spokesperson told Sky News that the reviewers have been in place since February 2016.

Those independent reviewers’ report on the company’s use of patient data is now due to be released on Wednesday.

On seeing the ICO’s ruling, Phil Booth, coordinator of medConfidential – an organisation which campaigns in support of the privacy of patients’ data within the NHS – said: “We look forward to Google DeepMind’s Independent Reviewers’ report on Wednesday.

“Google DeepMind has shown that it is content to break the law in order to get copies of people’s medical records. That being the case, how can the public trust Google’s ongoing exploitation of their healthcare data?”