DeepMind’s work with the NHS has been in the spotlight again this week after a regulator referred to one of the company’s key partnerships with the NHS as legally inappropriate.
The Google-owned research lab is working with several NHS trusts but its first NHS deal with Royal Free London NHS Foundation Trust is proving to be the most troublesome.
The deal with The Royal Free was quietly signed in September 2015 and it gave DeepMind access to 1.6 million NHS patient records from November 2015 to November 2016. The records belong to patients that have visited one of the three hospitals in North London operated by the trust: Barnet, Chalk Farm, and the Royal Free.
DeepMind said it needed access to the medical records to help it develop its kidney monitoring mobile app, which is called Streams and has the potential to save lives by sending out alerts to clinicians when their patient’s condition suddenly deteriorates.
But medical records contain some of our most private information, including things like whether a person has had an abortion or what a person’s HIV status is, as well as our full names and addresses.
DeepMind and The Royal Free have insisted from the beginning that the patient data is safe and that they’re taking all the necessary precautions with it. DeepMind has also said on multiple occasions that the patient records cannot be seen by parent company Google and that they will not be passed onto a third party.
From day one, DeepMind and The Royal Free have also insisted that the deal is legally sound on the basis that the Streams app is providing “direct care” to patients — something that automatically assumes “implied consent” on the patient’s behalf.
But the deal’s legal basis doesn’t stand up
A letter leaked to Sky News and published on Monday shows that the National Data Guardian (NDG), Dame Fiona Caldicott, wrote to The Royal Free in December 2016 to let them know that the legal basis for the data-sharing deal was “inappropriate”.
“Given that Streams was going through testing and therefore could not be relied upon for patient care, any role the application may have played in supporting the provision of direct care would have been limited and secondary to the purpose of the data transfer,” she wrote. “My considered opinion therefore remains that it would not have been within this reasonable expectation of patients that their records would have been shared for this purpose.”
Those words can’t have gone down well with execs at DeepMind or The Royal Free. Indeed, DeepMind is now
So if “direct care” wasn’t the legal basis for the data-transfer deal then what was? DeepMind and The Royal Free are yet to specify another legal basis for their deal, possibly because it doesn’t satisfy any of them.
Julia Powles, a technology law professor at Cornell University, told Business Insider: “Any other basis required approval in advance — and DeepMind had no such approvals.”
It looks as though the company is preparing to try and shift some of the blame to the existing legal framework. In guidance sent to DeepMind Health’s review board that was seen by Business Insider, DeepMind said the NDG’s findings “exposed a guidance gap about how hospitals should test new systems.”
There are a number of other legal bases that data transfer deals between the NHS and a private company can fall under when identifiable patient information is involved. They include:
- Consent — this involves asking each of the individuals involved if you can use their data. Given the number of patient records that DeepMind wanted access to, this may not have been realistic.
- Section 251 — this is a section of the NHS Act 2006 that permits a patient’s sensitive identifiable data to be shared without their explicit consent for some purposes other than their care. It was introduced when the Department of Health recognised that there were essential activities of the NHS, and important medical research, that required the use of identifiable patient information.
- Public interest — confidential medical information can also be disclosed when there is a case sufficient to override both the duty of confidence owed to an individual and also the public interest in keeping health records confidential. “The threshold for disclosure will be a relatively high one,” the government wrote in a data sharing and protection document in 2007.
Jenny Westaway, a spokesperson for the NDG, told Business Insider: “There are other legal bases that could be used to share data if the right conditions are met but I don’t want to give the impression by naming other legal bases that these are valid.
“If they (DeepMind and The Royal Free) are now seeking to suggest that another legal basis would have been viable, I think it’s up to them to say what that legal basis is and how they met it.”
The NDG is a non-statutory body (the bill to make it statutory failed this month) so it has no real power to issue any form of punishment. However, the Information Commissioner’s Office (ICO), the UK’s main data watchdog, is carrying out its own investigation into whether the deal was legal under the Data Protection Act and a verdict is expected to be made public in the coming weeks.
It’s likely that DeepMind and The Royal Free will try and hold off providing any further statements on the legal basis for their deal until that verdict is made public.
If the ICO concludes that the deal wasn’t legal, then DeepMind and the Royal Free can expect some form of punishment, which will likely be issued in the form of a fine.
NOW WATCH: Silicon Valley billionaires are appalled by normal schools — so they created this new one
Business Insider Emails & Alerts
Site highlights each day to your inbox.