National Data Guardian Dame Fiona Caldicott warns that transfer of medical records was ‘inappropriate’
A secretly disclosed letter to the medical director Professor Stephen Powis of Royal Free London NHS Foundation Trust, said that 1.6 million medical records transferred to google from the Trust on September 2015 were legally flawed. The transfer had no legal basis and could offend the patients whose reports and tests are shared without their consent. Transfer was noticed in the next year and caused a rage among the people for transferring their private medical records and tests to an online business. Google explained that, it was planning to use the data in its London based Deep- mind artificial intelligence division to create an application known as ‘Streams’, in order to improve patient care for the patients having chronic kidney diseases with the help of patient’s previous tests and diagnosis ,while keeping the identity safe.
Google stated that it needed patient medical records for five years in order to make this technology work properly. Sky news found a letter sent to the medical director by Caldecott, who is national data guardian at the health department saying the transfer was inappropriate and legally unacceptable. Caldicott was involved in the investigation about the deal between the Royal Free and Google. The investigation was led by the Information Commissioner’s Office (ICO). She was of the opinion that Trust’s grounds for sharing such confidential data with google might be illegal. And said that patients have not expressly granted permissions to use their medical records, so the technology made could not be used for the purpose of direct care. She made it clear during the investigation that data taken without the consent of patients can not be used to provide direct care even if it is indented to provide direct care to the patients. She wrote in her letter to Powis that “Implied consent is only an appropriate legal basis for the disclosure of identifiable data for the purposes of direct care if it aligns with the people’s reasonable expectations, ie: in a legitimate relationship,”
The letter also showed that even if the data used in the development of technology was non identifiable but the data used in testing was identifiable. As she wrote in the letter that “When I wrote to you in December, I said that I did not believe that when the patient data was shared with Google DeepMind, implied consent for direct care was an appropriate legal basis.”
Also Caldicott and Professor Stephen Powis used the identifiable data later in their meeting in January. themselves for testing the technology named “Streams”. Caldicott stated that even after the clarification about data transfer and Google’s identity protection claim she and her panel still think that its sole purpose of using identifiable data was to test the technology ‘streams’ and not the provision of direct care to patients. Her opinion will have a major effect when ICO will announce the case decision and the commissioner will decide weather to fine the Royal Free Trust also the decision about the transfer being legal or not is to be made by ICO.