Transfer of 1.6 million medical records to Google was legally flawed, Royal Free Hospital warned

National Data Guardian Dame Fiona Caldicott warns that transfer of medical records was 'inappropriate'

The transfer of 1.6 million medical records from the Royal Free London NHS Foundation Trust in London to Google in September 2015 was legally flawed, according to a leaked letter from Dame Fiona Caldicott to the hospital's medical director Professor Stephen Powis.

The transfer only came to light in April the following year, causing an outcry.

Google claimed that it planned to use the data in its London-based DeepMind artificial intelligence subsidiary in an anonymised form in order to help build an application called ‘Streams', to improve the care of patients with chronic kidney disease. Google claimed it needed the five years' worth of patient records "to analyse trends and detect historical tests and diagnoses that may affect patient care".

According to a letter obtained by Sky News, which had been sent to Powis, the legal basis for the transfer of the highly confidential records was described as "inappropriate" by Caldicott, the National Data Guardian at the Department of Health.

Caldicott has been involved in an investigation into the deal between the Royal Free and Google, which is being led by the Information Commissioner's Office (ICO).

Her legal opinion, though, suggests that the Royal Free's basis for sharing the patient data with the online information company might not have been legal.

"My view is that when work is taking place to develop new technology this cannot be regarded as direct care, even if the intended end result when the technology is deployed is to provide direct care.

"Implied consent is only an appropriate legal basis for the disclosure of identifiable data for the purposes of direct care if it aligns with the people's reasonable expectations, ie: in a legitimate relationship," wrote Calidcott in the letter.

She continued: "When I wrote to you in December, I said that I did not believe that when the patient data was shared with Google DeepMind, implied consent for direct care was an appropriate legal basis."

However, the letter also reveals that while only "synthetic data (non-identifiable dummy data)" was used in the design and development of the Streams product, confidential patient information was used during testing. Furthermore, the letter also references the use of "identifiable patient records" in the testing of Streams in a meeting in January this year between Powis and Caldicott.

"Taking into account what you have now clarified, it is my view and that of my panel that the purpose for the transfer of 1.6 million identifiable patient records to Google DeepMind was for the testing of the Streams application, and not for the provision of direct care to patients."

Caldicott's legal opinion will almost certainly have a major impact on the decision of the ICO into the case, including the likely fine that will be levied on the Trust should the Information Commissioner conclude that the transfer of sensitive patient data to Google was wrong.

Computing's IT Leaders Forum 2017 is coming on 24 May 2017. The theme this year is "Going Digital: Why your most difficult customer is your best friend".

Attendance is free, but strictly limited to IT Leaders. To find out more and to apply for your place, check out the IT Leaders Forum website.