NHS, DeepMind and the ICO: The importance of privacy in a modern NHS

Big Brother Watch Team / July 6, 2017

Two reports published this week have focussed the public’s attention on the arrangement between DeepMind and the Royal Free Hospital.

The two reports; one by the Information Commissioners Officer (ICO) and one by an Independent Review Panel created by DeepMind themselves, have looked in detail at the arrangement, which has been in place since September 2015.

The arrangement, the first of its kind in the UK, gave DeepMind (a company owned by Alphabet, the parent company of Google) access to 1.6 million Royal Free patient’s medical data in order for DeepMind to carry out clinical safety testing on their new software ‘Streams’. Streams is being developed to improve the care of patients with Acute Kidney Injury through an algorithm which alerted staff of new lab results which could speed up patient care.

Obviously in a world where big data and technology are seen as the panacea to all problems, it is logical that the NHS would seek to exploit opportunities in this area.   We certainly don’t object to attempts to improve healthcare for the 21st century.

However, the rush to revolutionise doesn’t excuse the concerns raised that sensitive data was being shared without the patient’s knowledge or informed consent.

The report published by the ICO has shown that those concerns were fair and accurate. According to the ICO’s findings, the data sharing agreement between DeepMind and the Royal Free didn’t follow the necessary data principles to ensure the transfer was fair, transparent, lawful, necessary or proportionate. Royal Free were therefore found in breach of data protection laws.. Patients were not given sufficient information about the use of their personal data in a clinical study or their rights to opt out, this was said to breach confidentiality which is such a vital tenet in the patient-doctor relationship. The ICO have now placed the Royal Free on notice, they have 3 months to complete a privacy impact assessment and demonstrate to the ICO, with evidence, their compliance with the recommendations.

A day after the ICO cracked the whip across the back of the NHS Trust, the first annual report by the DeepMind Health Independent review panel was published.

This independent panel was established a year ago by DeepMind following a number of critical news reports about the arrangement between the private sector DeepMind and the NHS.

The annual report, which provides some detail on the successes, failures and areas of improvement needed for the arrangement, also raised significant concerns regarding the inadequacy of NHS systems, as well as wider privacy and safety issues with DeepMind.

The most alarming finding hit the news headlines. It was reported that hospital staff have been using Snapchat and other photo sharing services to record and share patient scans amongst themselves.

This, to our mind, is a completely irresponsible way to handle sensitive data.  Not only does this entrust Snapchat with patient’s personal data but they are a service known not to use any form of encryption, which means the data when in transit and in rest is completely insecure.  .

The report stops short of blaming the staff; instead the panel suggest the problem is a wider failure of the NHS to provide adequate software and technology to assist staff safely. As the WannaCry ransomware attack showed, the NHS is technologically ill-prepared and use outdated systems which are left open to attack. The report emphasised the ongoing reliance on paper records and emphasised that the NHS has the ignominious title of being the number one purchaser of fax machines in the world. These are problems which must be addressed.

It comes as no surprise that the conclusion of the independent panel, set up by DeepMind, is that modernisation and the introduction of new technology is critical for the NHS. But going forward, the ongoing arrangement with DeepMind in performing these functions must not remain unchallenged. Some of the findings are encouraging in regards to DeepMind’s views of privacy; there appears to be no sharing with Google, the data they store is encrypted and the technology used has been vulnerability tested. Next year’s report will have to closely scrutinise whether these positives remain.

Whilst we have to come to terms with these new moves, the NHS and DeepMind have to urgently improve the way they engage the public. Sensitive personal data of human beings is the critical component of this arrangement, yet both of these reports show that human beings were treated with little regard.

If our data is going to improve our lives it is critical that our data is treated with respect.

As the ICO point out it is not okay for the NHS to share patient’s data without their knowledge or consent.

And as the independent panel stress to DeepMind, they must act in collaboration with the public to ensure there is an element of trust and an understanding of how their data will be used.

The arrangement between DeepMind and the NHS must remain transparent, with data protection laws being followed throughout. Patients should be fully informed and consent to any use of their data. Privacy should never been seen as an obstacle to innovation. Without sufficient safeguards in place it is the patient’s themselves who will suffer the consequences. Privacy, data protection and transparency should be central to the NHS data revolution.