Early last week, we reported that Google had been granted access to the records of over 1.6 million patients on the UK's National Health Service (NHS). It turns out that while they had been granted 'access', by the NHS trusts involved in handling the data, they hadn't received approval from data regulators to use or access the data, nor did patients give consent.
In fact, both Google and the NHS trusts involved (Royal Free and Barnet and Chase Farm hospitals) believe that they do not even need regulator approval.
Google is developing an artificial intelligence system that will be able to detect if a patient is at risk of developing an acute kidney injury. To do this, the Royal Free, along with Barnet and Chase Farm hospitals, provided Google with 1.6 million patient health records, which included sensitive and personally identifiable information.
However, they appear to have skipped out two crucial steps in the process of handing over such data, as NewScientist reports. First, the app that Google is developing and using this data with, Streams, is classed as a 'medical device'; for safety reasons, all medical devices have to be approved by the UK Medicines and Products Regulatory Agency. Additionally, they did not seek approval to hand over any data from the UK's data regulator, the ICO (Information Commissioners' Office).
The patients whose data was handed over had also not been asked to give consent prior to this - they weren't even told. The data is encrypted as it is being transported to Google's servers in an undisclosed location, but once it reaches them, it is then unencrypted for processing.
Section 251 of the NHS Act 2006 prohibits sharing personally identifiable information without consent. If, however, you are running a large research project, and it is difficult or not possible to obtain consent from each patient, you have to go through the Confidentiality Advisory Group, which decides whether to provide consent or not on the patients' behalf, granted by the UK Secretary of State. This process was not followed, as Google is not shown in the Health Research Authority database, which is updated every two weeks.
Google claims that patient consent is 'implied', rather than explicitly given, and as such, it is allowed access to such data, because the company claims it has "direct clinical patient benefit". This isn't the case. Government guidelines on this explicitly say that assumption of consent does not apply in such cases, as direct clinical care is only when a patient is being given a particular form of care by a particular clinician, and that the person receiving the data is also a clinician of that patient.
In a statement, Google reaffirmed that it believes it has legal access to the data:
We are working with clinicians at the Royal Free to understand how technology can best help clinicians recognise patient deterioration – in this case acute kidney injury (AKI). We have, and will always, hold ourselves to the highest possible standards of patient data protection. Section 251 assent is not required in this case. All the identifiable data under this agreement can only ever be used to assist clinicians with direct patient care and can never be used for research. We and our partners at the Royal Free are in touch with MHRA regarding our development work.
It is not yet clear if authorities have begun any formal investigations into the alleged improprieties surrounding Google's access to the data.