The UK’s Information Commissioner’s Office (ICO), a data protection watchdog, has confirmed that they are investigating the patient data sharing deal between the NHS and Google DeepMind following at least one complaint having been filed by the general public.
In April 2016, science and technology publication New Scientist revealed the existence of the arrangement between the NHS and Google DeepMind to share healthcare data on 1.6 million patients who pass through three London hospitals run by the Royal Free NHS Trust. Since then many privacy experts have voiced their concerns about data protection and potential privacy breaches.
The publication provided a link to an eight-page document describing the important details of the arrangement. The document reveals that page 5 of the contract states that there is no requirement for the information that is shared with DeepMind to be anonymised, because it is being held for “direct patient care purposes”. This means that DeepMind could potentially be putting patient privacy at risk as researchers access the data.
Additionally, the arrangement allows for DeepMind to gain access to patient information that is outside the scope of the research, which is limited to information on kidney failure.
Meanwhile the UK Data Protection Act states that the collection of personal information must be “adequate, relevant, and not excessive”.
Google have defended the arrangement by saying that since there is no separate NHS dataset for people with kidney conditions, it needed access to all of the data in order for the research programme to run effectively.
“We are working with clinicians at the Royal Free to understand how technology can best help clinicians recognise patient deterioration – in this case acute kidney injury (AKI),” said DeepMind Co-founder, Mustafa Suleyman.
In addition, a follow-up Q&A document, published on the Royal Free website, addresses some data protection concerns: “All information sent to and processed by DeepMind is encrypted both in transit to, and at rest within, the DeepMind Health cluster.”
“We have, and will always, hold ourselves to the highest possible standards of patient data protection. This data will only ever be used for the purposes of improving healthcare and will never be linked with Google accounts or products,” said Suleyman.