Google has been given access to huge swathes of confidential patient information in the UK, raising fears yet again over how NHS managers view and handle data under their control.
In an agreement uncovered by the New Scientist, Google and its DeepMind artificial intelligence wing have been granted access to current and historic patient data at three London hospitals run by the Royal Free NHS Trust, covering 1.6 million individuals.
That would include any chronic illness people may be suffering from and the circumstances over why they were admitted – for example, if they have suffered a drug overdose. The agreement provides Google with access to data going back five years and is far more expansive than expected.
Google and DeepMind previously said they were working with the NHS on a product called "Streams" that would "present timely information that helps nurses and doctors detect cases of acute kidney injury."
The agreement however provides access to all patient data, covering issues far beyond just kidney functioning. Google reportedly claimed that since there is not a specific subset of information regarding kidneys, it needed access to everything.
The idea behind the data sharing is that Google's AI software may be able to identify patterns that can assist doctors and nurses in treating patients or in recognizing conditions earlier than normal.
The agreement includes a number of safeguards, including the fact that Google is not allowed to share the information beyond the specific project and must delete all data when the project ends in September 2017.
However, critics have already pointed to the fact that the hospital trust has not been upfront about the use of confidential patient information, has not informed patients that their personal information is being provided to a commercial entity, and has not provided patients with a reasonable way to opt-out of the data sharing.
The revelations come just days after health data regulator, the Health & Social Care Information Centre (HSCIC), noted that more than a million patients had opted-out of its Care.data scheme.
Care.data was announced three years ago and has been mired in controversy over the fact that there was little or no discussion with patients over their personal data being shared with private sector bodies.
It seems little or nothing has changed as a result of that argument, with the Google contract signed just over six months ago on 29 September 2015.
A spokesperson for the Royal Free trust downplayed the breach of trust saying "no patient-identifiable data" would be shared and that the information is at least encrypted in transit. However, according to the agreement between DeepMind and the NHS, the information sharing may include identifying information – such as names, addresses, health service ID numbers, photographs and videos.
Patients can opt out by asking their physicians, in writing, to do so, they said. However even that approach would not prevent people's live data feed from being shared.
The UK has a long history of favoring opt-out agreements when it comes to sharing information, requiring individuals to actively refuse access, as opposed to a European norm of opt-in, where people have to agree before third parties can use their information.
Regardless, the provision of such highly personal and confidential information without proper consultation and with patients forced to relying on data protection methods drawn up behind closed doors and written into non-public contracts has already created a stir. ®