The shock news yesterday that Google is taking over a health app rolled out to UK hospitals over the past few years by its AI division, DeepMind, has caught the eye of the country’s data protection watchdog — which said today that it’s monitoring developments.
An ICO spokesperson told us: “An ICO investigation and an independent audit into the use of Google Deepmind’s Streams service by the Royal Free both highlighted the importance of clear and effective governance when NHS bodies use third parties to provide digital services, particularly to ensure the original purpose for processing personal data is respected.
“We expect all the measures set out in our undertaking, and in the audit, should remain in place even if the identity of the third party changes. We are continuing to monitor the situation.”
We’ve reached out to DeepMind and Google for a response.
The project is already well known to the ICO because, following a lengthy investigation, it ruled last year that the NHS Trust which partnered with DeepMind had broken UK law by passing 1.6 million+ patients’ medical records to the Google owned company during the app’s development.
The Trust agreed to make changes to how it works with DeepMind, with the ICO saying it needed to establish “a proper legal basis” for the data-sharing, as well as share more information about how it handles patients’ privacy.
It also had to submit to an external audit — which was carried out by Linklaters. Though — as we reported in June — this only looked at the current working of the Streams app.
The auditors did not address the core issue of patient data being passed without a legal basis when the app was under construction. And the ICO didn’t sound too happy about that either.
While regulatory actions kicked off in spring 2016, the sanctions came after Streams had already been rolled out to hospital wards — starting with the Royal Free NHS Trust’s own hospitals.
DeepMind also inked additional five-year Streams deals with a handful of other Trusts before the ICO’s intervention, including Imperial College Healthcare NHS Trust and Taunton & Somerset.
Those Trusts are now facing being switched to having Google as their third party app provider.
Until yesterday DeepMind had maintained it operates autonomously from Google, with founder Mustafa Suleyman writing in 2016 that: “We’ve been clear from the outset that at no stage will patient data ever be linked or associated with Google accounts, products or services.”
Two years on and, in their latest Medium blog, the DeepMind co-founders write about how excited they are that the data is going to Google.
Patients might have rather more mixed feelings, given that most people have never been consulted about any of this.
The lack of a legal basis for DeepMind obtaining patient data to develop Streams in the first place remains unresolved. And Google becoming the new data processor for Streams only raises fresh questions about information governance — and trust.