Google's artificial intelligence arm received the personally identifying medical records of 1.6 million patients on an "inappropriate legal basis", according to the most senior data protection adviser to the NHS.

Sky News has obtained a letter sent to Professor Stephen Powis, the medical director of the Royal Free Hospital in London, which provided the patients' records to Google DeepMind.

It reveals that the UK's most respected authority on the protection of NHS patients' data believes the legal basis for the transfer of information from Royal Free to DeepMind was "inappropriate".

The development raises fresh concerns about how the NHS handles patients' data after last week's cyberattack on hospitals and GP surgeries, which could have been prevented if staff had followed guidance issued a month earlier.

While there are strict legal protections ensuring the confidentiality of patients' records, under common law patients are "implied" to have consented to their information being shared if it was shared for the purpose of "direct care".


However, this basis was not valid in the arrangement between Royal Free and DeepMind in the view of Dame Fiona Caldicott, the National Data Guardian at the Department of Health, who has contributed to an investigation into the deal.

Image: The first page of the National Data Guardian's letter

Image: The second page of the National Data Guardian's letter

As Dame Fiona writes, she had informed Royal Free and DeepMind in December that she "did not believe that when the patient data was shared with Google DeepMind, implied consent for direct care was an appropriate legal basis".

DeepMind, originally a British business that was acquired by Google in 2014, received the data of 1.6 million NHS patients to test a smartphone app called Streams.

Streams is a healthcare app which can detect if patients are suffering from acute kidney injuries and then rapidly inform clinicians so that they may receive potentially life-saving treatment.

Prof Powis had stressed that "a quarter of deaths from (acute kidney injuries) are preventable if clinicians are able to intervene earlier and more effectively".

Dame Fiona did not dispute the value of the app for patients, but in the letter to Prof Powis she explained that in her "considered opinion" the "purpose for the transfer of 1.6 million identifiable patient records to Google DeepMind was for the testing of the Streams application, and not for the provision of direct care to patients".

"My considered opinion therefore remains that it would not have been within the reasonable expectation of patients that their records would have been shared for this purpose," she wrote.

Professor Stephen Powis says patient confidentiality important

Prof Powis told Sky News: "We have been very grateful to Dame Fiona for her support (and) advice during this process and we would absolutely welcome further guidance on this issue."

Dame Fiona's contribution is currently being taken into account by the Information Commissioner's Office (ICO), the UK's data watchdog, which is investigating whether the transfer was legal under the Data Protection Act.

The ICO told Sky News that its investigation "is close to conclusion".

"We continue to work with the National Data Guardian and have been in regular contact with the Royal Free and DeepMind who have provided information about the development of the Streams app," the data watchdog said.

"This has been subject to detailed review as part of our investigation. It's the responsibility of businesses and organisations to comply with data protection law."

Royal Free Hospital said it would "consider" the ICO's findings when they are released.

Both the Royal Free Hospital and Google DeepMind were first informed of Dame Fiona's opinion in December.

The testing for the Streams app has now concluded and it is being used at the Royal Free Hospital, Prof Powis told Sky News, under a second agreement which is not being investigated.

He said: "I think everybody's agreed that we need to test, and when that involves patient data - and if it includes using large quantities of patient data - yes, I think we absolutely need to look at that again, collectively, everybody in the system, and we need to understand the guidance around that."

DeepMind: Patient data not shared with other parts of Google

Speaking to Sky News in the wake of the NHS cyberattack, the clinical lead at Google DeepMind, Dr Dominic King, said patient data was safe with the firm.

He said: "It's really important to say that DeepMind is a British company, and although acquired by Google, operates independently. At no point has any patient data been shared with other Google products or services, or used for commercial purposes.

"I think one thing that we do recognise that we could have done better is make sure that the public are really informed about how their data is used."

Dr Julia Powles, a researcher at Cornell Tech in New York and an expert in technology law, said there were "fundamental errors" at the beginning of the data sharing project and warned that these errors could put other data sharing deals in "real peril".

The Department of Health is responsible for issuing guidance to the NHS on how patient data can be used in the testing of new technologies, but it has not said when this will be provided. The department did not respond to Sky News' requests for a response.