The issue of privacy and informed consent in developing healthcare technology in the NHS

DeepMind's Stream App

The shifts toward making healthcare more intuitive for patients around the globe is heavily rooted in the advancement of technology-based tools. Companies large and small are working diligently to bring effective means to doctors, nurses, and support staff in hospitals and clinics to push the quality of healthcare forward. But there are several issues with how these advanced, potentially beneficial tools are being introduced and subsequently used in healthcare settings. One of the most widely discussed examples of technology in healthcare has been the partnership between the UK’s NHS and DeepMind Health, a Google-owned technology firm.

Most individuals in the UK were blissfully unaware of the project between DeepMind and the Royal Free hospital trust in London until early in 2016, despite the partnership launch in mid-2015. DeepMind was approached to create a healthcare application, known as Streams, to help practitioners identify, prevent, and treat acute kidney injury or AKI in hospital settings. Nearly 40,000 deaths each year are attributed to AKI, making the Streams app and the joint work between the hospital trust and DeepMind promising. Because AKI offers no recognisable symptoms in early stages, detection of the deadly health issue is based on laboratory tests. An assessment of the patient must be done quickly to determine the underlying cause and affect the appropriate treatment. Streams is meant to reduce that timeline through a series of real-time alerts based on standardised algorithms, delivered through handheld devices to clinicians.

Instead of the focus being placed on the potential benefits of the app development and its ultimate implementation, concerns about the privacy of patient health records and medical data have fiercely come to light.

The problem with streams

After the partnership with DeepMind Health and the Royal Free NHS Trust was solidified, a transfer of 1.6 million patient records took place in November 2015. The data, which included identifiable information on each of the patients included in the transfer, was gifted to DeepMind Health in an effort to help test the Streams app based on real patient details. The problem lies in the fact that not one patient was informed his or her intimate medical records would be transferred to a technology firm for the purpose of developing an application. There was also no offer for public discussion surrounding the transfer of data, what it would be used for, and how it would be stored or shared in the future. Rightfully so, healthcare advocates, legal experts, and the patients themselves shared widespread concern over the incident.

In this ever-connected world, it is not surprising that information moves between one organisation and the next for the purpose of developing new technologies. However, confidential data, like what’s included in an individual’s patient file, should not be so easily transferred between entities. For most, offering up health information is not an act they are vehemently against, especially when the future outcome is helping tens of thousands of patients prevent serious health issues due to a condition like AKI. With that being said, private companies having full access to health data without the informed consent of the individuals involved carries with it very real ramifications. Not only did the DeepMind and NHS partnership lack explanation as to why the data would be transferred and then used, but the public was also woefully unaware of how these details might be connected to DeepMind’s parent company, Google, in the future.

In response to the DeepMind and NHS information debacle, a full-on investigation was launched to help gain an understanding of who was at fault and why. Through the Information Commissioner’s Office, it was found that the Royal Free NHS Trust breached four significant data protection principles, and patient confidentiality guidelines under common law. The gift of data to DeepMind was deemed to be lacking transparency to the public, unfair to the patients involved, unlawful, and broadly unnecessary. Because individuals would not have expected their personal health information to be shared, they had no opportunity to affect their information and privacy rights until the deed was already done.

Ramifications of breaking privacy law in healthcare

The ICO’s investigation offered interesting results, focused heavily on the breach enacted by the Royal Free Trust, not DeepMind or its parent company. Because the trust remained the controller of data, that is the organisation that originally kept and subsequently transferred the patient records in the deal, DeepMind Health was found to have not violated data sharing agreements or contractual requirements in the process. The trust, however, was given a slap on the wrist, made to sign an agreement to clean up its act in the future. The problem remains, however, since patient data still sits on DeepMind’s servers, albeit not being used.

A specialist from the clinical negligence firm in the UK, explains the significance of such a move by the Royal Free trust through its partnership with DeepMind Health. Applications like Streams show promise in speeding up the diagnosis and treatment of deadly health issues like AKI, and as such, a reduction in the amount of harm a patient may endure by improved standards of care is truly on the horizon. However, the price of innovation cannot come by way of the erosion of legally-ensured privacy rights which should be fundamental to all patients.

It isn’t all that uncommon for patient information to be shared during the process of technology development or healthcare research, but the Royal Free Trust and DeepMind Health, without much doubt, failed in their processes. Instead of being transparent in the information that would be disclosed, patient data was transmitted without anyone’s knowledge, and it included details about individual health records that show a clear disregard for information privacy and informed consent laws. Moving forward, the NHS can learn from its mistakes and take steps to ensure confidentiality remains at the forefront of the development of apps like Streams. Keeping patient information anonymous is one clear path forward, as is leaving the floor open for public comment well in advance of sharing data with technology firms in the future. Patients have a right to receive the highest quality healthcare available, but not at the expense of their privacy.