Google mishandled NHS patient data, investigation warns
Fri 12 May 2017

The Information Commissioner’s Office is expected to publish a letter later today questioning Google DeepMind’s management of NHS patient data.
The Information Commissioner’s Office (ICO) initiated an investigation last March through the National Data Guardian (NDG) to review Google’s partnership with the NHS. A preliminary result outlined in a letter from the NDG to DeepMind shows that the company may have mishandled patient data during pre-deployment of a patient care app.
Last November, Google’s DeepMind signed a five-year agreement with an NHS hospital trust to create a notification system for doctors whereby patient updates and test results would be forwarded to physician’s mobile devices, helping to reduce paperwork and waiting times and improve patient care.
However, the notification system requires DeepMind have access to confidential patient information. The NHS granted DeepMind access to millions of records, not limited to those directly related to the initial app that was created.
The NDG specifically reviewed an app called ‘Streams’, directed at patients suffering from acute kidney problems. The app was created and tested as part of a year-long project between DeepMind and the NHS.
The problem that surfaced during the investigation was related to the use of patient data in the pre-deployment testing period.
DeepMind used live data from real patients while testing the system, relying on ‘implied consent’ from individuals rather than getting specific releases from patients to use their data while testing the application.
The NDG found that since the app was being tested prior to deployment it did not meet the ‘direct care’ requirement of implied consent, and patient data was therefore being used without consent.
Privacy advocates have long criticized the NHS-Google partnership, as DeepMind was granted access to millions of patient data records, not limited to those directly related to the Streams app. The NHS defended its decision, stating that it “provides DeepMind with NHS patient data in accordance with strict information governance rules and for the purpose of direct clinical care only.”
Additionally, a recent academic paper referred to the NHS-Google partnership as a cautionary tale, and said that “The failure on both sides to engage in any conversation with patients and citizens is inexcusable.” The researchers also noted that DeepMind is inextricably linked with Google, the world’s largest advertising company, which now had unfettered access to the healthcare records of a huge group of people who would never need or benefit from the Streams app.
Google announced in March that it intended to manage NHS patient data using a blockchain-based distributed ledger system to protect patient data and provide real-time updates to patients and physicians in a secure and verifiable manner. The new system, called “Verifiable Data Audit”, is intended to improve communication, transparency and data control to help build trust between partners and patients.
The ICO is expected to conclude the year-long investigation into the NHS-Google partnership soon, with an official verdict expected in the coming weeks.