Google's DeepMind AI wing was given access to the personal medical records of 1.6 million NHS patients on an "inappropriate legal basis," the UK's top data protection adviser to the health service has said.
In a letter sent to the Royal Free Hospital's medical director professor Stephen Powis, and seen by Sky News, the National Data Guardian Dame Fiona Caldicott—whose job it is to scrutinise the government when it hands over NHS patient records to private companies—concluded that the decision to share the data under implied consent was wrong.
The London-based Royal Free Hospital (RFH) inked a controversial deal with Google last year, allowing its Streams AI app to be tested on the medical records of sufferers of acute kidney damage. It apparently helps clinicians to quickly administer potentially life-saving treatment.
However, Caldicott challenged the hospital's claim that the transfer of 1.6 million identifiable patient records to DeepMind had been processed as "implied consent for direct care."
In mid-2016, the RFH told the NHS data adviser that the Google app "is not currently in use," adding that "only small scale testing of the pre-production prototype version of Streams has taken place to date." At the time, the design and functionality of the app was being refined by Google, and the "clinical safety verification" process was ongoing. The hospital said that Streams "was not, and will not be relied on for patient care until this process has concluded."
Caldicott had written to the RFH in December explaining that she was advising the Information Commissioner's Office on the common law duty of confidentiality around the sharing of identifiable medical records where consent is implied for the purpose of direct care. She said:
My view is that when work is taking place to develop new technology this cannot be regarded as direct care, even if the intended end result when the technology is deployed is to provide direct care. Implied consent is only an appropriate legal basis for the disclosure of identifiable data for the purposes of direct care if it aligns with people's reasonable expectations, i.e. in a legitimate relationship.
If the ICO, which is probing the transfer of information, agrees with Calidcott that there was no legal basis for the records to be shared with DeepMind, then Google will be required to delete the data.