The Royal Free Hospital in London was wrong to hand over the medical records of some 1.6 million patients in a secretive deal it struck with Google in September 2015, but which only came to light in April the following year.
Google claimed that it planned to use the data in its London-based DeepMind artificial intelligence subsidiary in an anonymised form in order to help build an application called ‘Streams', to improve the care of patients with chronic kidney disease. Google claimed it needed the five years' worth of patient records "to analyse trends and detect historical tests and diagnoses that may affect patient care".
According to a letter obtained by Sky News, which had been sent to the hospital's medical director Professor Stephen Powis, the legal basis for the transfer of the highly confidential records was described as "inappropriate" by Dame Fiona Caldicott, the National Data Guardian at the Department of Health.
Caldicott has been involved in an investigation into the deal between the Royal Free and Google, which is being led by the Information Commissioner's Office (ICO).
Her legal opinion, though, suggests that the Royal Free's basis for sharing the patient data with the online information company might not have been legal.
"My view is that when work is taking place to develop new technology this cannot be regarded as direct care, even if the intended end result when the technology is deployed is to provide direct care. Implied consent is only an appropriate legal basis for the disclosure of identifiable data for the purposes of direct care if it aligns with the people's reasonable expectations, ie: in a legitimate relationship," wrote Calidcott in the letter.
She continued: "When I wrote to you in December, I said that I did not believe that when the patient data was shared with Google DeepMind, implied consent for direct care was an appropriate legal basis."
However, the letter also reveals that while only "synthetic data (non-identifiable dummy data)" was used in the design and development of the Streams product, confidential patient information was used during testing. Furthermore, the letter also references the use of "identifiable patient records" in the testing of Streams in a meeting in January this year between Powis and Caldicott.
"Taking into account what you have now clarified, it is my view and that of my panel that the purpose for the transfer of 1.6 million identifiable patient records to Google DeepMind was for the testing of the Streams application, and not for the provision of direct care to patients."
Caldicott's legal opinion will almost certainly have a major impact on the decision of the ICO into the case, including the likely fine that will be levied on the Trust should the Information Commissioner conclude that the transfer of sensitive patient data to Google was wrong.
Computing's IT Leaders Forum 2017 is coming on 24 May 2017. The theme this year is "Going Digital: Why your most difficult customer is your best friend".
Attendance is free, but strictly limited to IT Leaders. To find out more and to apply for your place, check out the IT Leaders Forum website.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago