The legal basis for the transfer of 1.6 million patent records from the UK’s National Health Service to Google DeepMind has been described as ‘inappropriate’ by a leading data protection figure in the NHS. The data was given to Google for one of several AI projects designed to use machine learning to assist in the diagnosis and treatment of a number of conditions.
Sky News reports that view was expressed in a letter written by Dame Fiona Caldicott, the National Data Guardian at the Department of Health …
Sky News has obtained a letter sent to Professor Stephen Powis, the medical director of the Royal Free Hospital in London, which provided the patients’ records to Google DeepMind.
It reveals that the UK’s most respected authority on the protection of NHS patients’ data believes the legal basis for the transfer of information from Royal Free to DeepMind was “inappropriate”.
It’s worth noting that Dame Caldicott is not necessarily attacking the fact that the data was shared, but rather the specific legal justification used.
While there are strict legal protections ensuring the confidentiality of patients’ records, under common law patients are “implied” to have consented to their information being shared if it was shared for the purpose of “direct care”. However, this basis was not valid in the arrangement between Royal Free and DeepMind.
In other words, as the work was not about treating the patients involved, but rather more general learning that may benefit others, consent could not be implied. Patients should instead have been specifically asked to consent to their records being shared.
The UK’s privacy watchdog the Information Commissioner’s Office (ICO) is currently investigating whether the transfer was legal, and expects to reach a decision soon.