NHS shares patient data with 1,500 outside organisations including Google but doesn’t ask for permission because it’s ‘not practical’
By BigBrotherWatch – The NHS shares patient data with 1,500 outside organisations including Google and doesn’t ask first because it is ‘not practical’, it was revealed today.
Private firms including computer giants and consultancy agencies are among those who are being supplied with the confidential records.
Only this week the Royal Free NHS Trust in London revealed that it had passed on medical files of up to 1.6million patients to a Google subsidiary to develop an app.
This included highly personal details such as whether patients had been diagnosed with HIV, suffered from depression or had ever undergone an abortion.
Get Briefed, Get Weekly Intelligence Reports - Essential Weekend Reading - Safe Subscribe
Under Government rules drawn up in 2013, staff do not have to obtain patients’ prior consent as long as the information does not include names and is being used to improve care.
The revelation has exposed the ease with which private companies can obtain highly sensitive medical information without consent.
Explaining why they did not speak to patients first the Royal Free said: ‘Health professionals may rely on implied consent when sharing personal data in the interests of direct care.
‘The NHS has data sharing agreements with 1,500 third party organisations, many of which are vital to the safe and effective treatment of patients. It would not be practical or safe to ask every patient to consent to every one of these arrangements’.
The spokesman listed just two of these third party organisations: Cerner, a private firm that sorts data for hospitals and GPs, and Webmail, which allows staff to email each other about specific patients.
The trust said that the data will not be sold on, adding in an online Q&A: ‘Patients can opt out of any data-sharing system that the Royal Free London uses by contacting the trust’s data protection officer’.
NHS officials have since confirmed that similar ‘data sharing’ arrangements are in place between hospitals and private firms throughout the health service.
Imperial College Healthcare NHS Trust admitted it was also in talks with Google over a deal – this time for an app to alert staff to hospital patients at risk of deterioration through kidney failure.
But bosses at St Mary’s in Paddington, one of the hospitals overseen by the Trust, say that no patient records have been handed over to DeepMind – Google’s secretive artificial intelligence arm.
It is not yet clear how many other NHS trusts or hospitals have already confirmed or are in talks to set up similar deals. It is also not known which organisations have existing deals with the NHS.
But other third party organisations with similar ‘data sharing arrangements’ include other NHS bodies as well as consultancy firms, universities and computer companies which have contracts to compile data or want it for research.
Professor Sir Brian Jarman, a specialist in NHS data, admitted he was concerned by the practice.
He said patients should be made aware of the extent to which their records are being shared before being given the chance to opt out.
‘Once the data has gone to another company it’s impossible to get it back so you have to be very careful,’ he said.
‘The only way to be on the safe side is to ask the patient first. I think if explained properly, the vast majority of patients would be willing for their data to be used.’ Daniel Nesbitt, of Big Brother Watch, added: ‘It’s clear that in many cases members of the public simply don’t know who has access to their information.
‘All too often we see data being shared without the proper understanding of those it will actually affect. It’s vital that patients are properly informed about any plans to share their personal information.’
In the past other NHS organisations have admitted passing data to companies such as Bupa, the insurance firm, on the strict provision it was only used for research.
In 2014 the Health and Social Care Information Centre – which compiles NHS data – published a list of organisations given information on patients.
They included Bupa, the McKinsey consultancy firm and IMS, a data analyst.
Google was given the Royal Free data to develop an app to monitor possible kidney failure.
The encrypted information includes the names and medical histories of every patient who had stayed in hospital overnight or attended A&E in the past five years.
Privacy campaigners told MailOnline that the revelations exposed the public’s lack of power and control over their own personal details.
Experts say the deal between Google and the Royal Free NHS Trust could set a precedent for patient data to be routinely passed on to private firms.
The Royal Free insisted it did not sell the files to Google and no money changed hands. The trust, which includes three London hospitals, and Google say the data is encrypted, will be processed by only a computer program, and there is no chance of it being leaked online.
Last month Google DeepMind bought another healthcare app, Hark, which was developed by a team of scientists at Imperial College London led by Tony Blair’s former health minister Lord Darzi.
Hark is said to show who is on the ward, what treatment they have had or require, and whether any treatment is overdue.
The technology was piloted at St Mary’s Hospital, London, but bosses said no patient data had been shared with DeepMind.
Lord Darzi said in February that there was an urgent need to improve the way busy medical staff manage their extensive lists of tasks throughout the day.
Imperial and Google say that the software will help staff plan their days and also alert them if patients are at risk of deterioration.
Lord Darzi told the Guardian in February: ‘Innovation is the only solution we have for a sustainable NHS, both economically and in meeting the challenges and demands upon it’.
A St Mary’s spokesman said: ‘The Trust has not shared any patient data or records with Google Deepmind.
‘The Trust is currently in discussion with Google Deepmind about the use of the Hark app at the Trust, which could involve the processing of encrypted patient information for the sole use of Trust clinicians.’
The Google app at the Royal Free is being developed by its subsidiary company DeepMind, which was bought for £275million ($400m), to alert doctors when patients are at risk of a form of kidney failure caused by dehydration.
The app will process blood test results and immediately inform doctors in charge of their care if they are at risk.
But neither Google nor the Royal Free could explain why the data of so many patients was needed for the software to be developed. The deal was uncovered by the New Scientist.
The project is a pilot and if it is deemed a success, other hospitals may ask Google to develop similar apps and pass on medical files.
Under the arrangement, Google’s DeepMind has access to the details of all patients who have stayed overnight at Barnet, Chase Farm or Royal Free Hospitals or attended A&E over the past five years. It is not clear exactly how many patients this covers. The company will also be given information on a monthly basis relating to all inpatients and those attending casualty until 2017.
Although patients can theoretically opt out of their information being passed on in such a way, they would firstly need to be aware such arrangements exist. They would then need to contact the hospital’s data protection officer in writing to make a specific request.
Details of the arrangement emerged two years after health officials were forced to scrap a national project to harvest patients’ records without their consent.
The Care.Data scheme was designed to extract details from patients’ files and store them on a national computer database so they could be used by academics and private companies for research. It was put on hold following mounting concerns by doctors and campaigners that patients had not been given enough opportunity to opt out and that the information would be used for the wrong purposes.
Daniel Nesbitt, research director of privacy and civil liberties pressure group Big Brother Watch told MailOnline: ‘With more and more information being shared about us its becoming clear that in many cases members of the public simply don’t know who has access to their information.
‘All too often we see data being shared without the informed consent or proper understanding of those it will actually affect.
‘It’s vital that patients are properly informed about any plans to share their personal information.’
Katherine Murphy, chief executive of the Patients’ Association, said: ‘It’s an awful lot of data if it gets into the wrong hands. Patient confidentiality must always be protected.
‘Patients will be worried and they need reassurances that their data is going to remain confidential.’
Dr Neil Bhatia, a GP in Yateley, Hampshire, who campaigns on the issue of patient privacy, added: ‘Patients need to be made aware of what’s happening, and of their right to opt out of Google processing their information in this way.
‘Vast amounts of personal confidential data – some of it extremely sensitive – is going into the hands of a massive commercial organisation.’
Phil Booth, of the campaign group MedConfidential, said: ‘We have no idea why Google needed so many sensitive details of every treatment for every patient in the hospital, covering over half a decade.’
A trust spokesman said: ‘The Royal Free London approached DeepMind with the aim of developing an app that improves the detection of acute kidney injury by immediately reviewing blood test results for signs of deterioration, then sending an alert and the results to the most appropriate clinician via a dedicated handheld device.
‘Absolutely no patient- identifiable data is shared with DeepMind.
‘All information sent to and processed by this app, named Streams, is encrypted and is only decrypted once returned to the clinician’s device.’
The trust did not confirm whether data which could identify patients had been handed to Google in the past.
Dominic King, a senior scientist at Google DeepMind, said: ‘Access to timely and relevant clinical data is essential for doctors and nurses looking for signs of patient deterioration. This work focuses on acute kidney injuries that contribute to 40,000 deaths a year in the UK, many of which are preventable.
‘The kidney specialists who have led this work are confident that the alerts our system generates will transform outcomes for their patients. For us to generate these alerts it is necessary for us to look at a range of tests taken at different time intervals.’
Mustafa Suleyman, Co-Founder at DeepMind, said: ‘We have, and will always, hold ourselves to the highest possible standards of patient data protection.’
Life sciences minister George Freeman said: ‘NHS patients need to know their data will be secure and not be sold or used inappropriately, which is why we have set up a new National Data Guardian and introduced tough new measures to ensure patient confidentiality.’
Google could make billions from healthcare and is keen to expand into this area.
In 2013 it announced it is now turning its attention towards the quest for eternal life. Founder and Google CEO Larry Page announced they were working on a well-being project called Calico.
Calico will focus on tackling the ‘challenge of ageing and associated diseases’ and will use expertise from Levinson’s biotechnology firm Genentech to look for potential cures for age-related illnesses.
In 2014, Google said it was determined to work out how the human body works and exactly what it should look like when it is healthy.
The ambitious science project, dubbed Baseline Study, will see researchers collect anonymous genetic and molecular information from 175 people, and later thousands more, in a bid to help detect diseases, such as cancer and heart disease, much earlier.
The project is being spearheaded by renowned molecular biologist Andrew Conrad who pioneered cheap, high-volume tests for HIV in blood-plasma donations.