The merry month of May has not, thus far, proved to be especially cheerful for the NHS in terms of its data handling, with a spate of news stories about privacy breaches and concerns about Google's access to patients' medical records following collaboration between the Royal Free NHS Trust and Google-owned technology company DeepMind.
Breaches of Trust(s)
On the first of these issues, two London NHS Trusts have been hit with sizeable fines for data breaches. In the first case, Chelsea and Westminster Hospital NHS Foundation Trust was fined £180,000 for a "serious breach" of the Data Protection Act, after a sexual health clinic (which it runs) sent an email newsletter to registered users of its HIV services, putting the email addresses in the 'to' rather than the 'bcc' field. 730 of the 781 email addresses contained the email recipient's full name. The ICO concluded that this data breach – involving sensitive personal data – "caused a great deal of upset to the people affected." The severity of the breach was exacerbated by the fact this was not the first such mistake by the Trust, with the same issue of failing to use the 'bcc' field for an email questionnaire sent to patients in March 2010. The ICO noted that after that incident, some remedial measures had been put in place but no specific staff training had been implemented.
The second recent case involved Blackpool Teaching Hospitals NHS Foundation Trust, which has been fined £185,000 after inadvertently publishing online confidential data about more than 6,000 members of staff (including their National Insurance number, date of birth, religious belief and sexual orientation). The information was supposedly 'hidden' in spreadsheets that the Trust published on its website, but in fact it could easily be viewed by a double click. The ICO was also strongly critical of the fact that it took the Trust 10 months to notice the mistake, and then a further five months before it alerted staff. The risks associated with so-called 'hidden' data have been highlighted by the ICO before, and it has published a guidance note on removing personal data from information requests and datasets.
As both cases indicate, organisations need to be extremely careful when handling sensitive personal data, particularly in the context of email mail-outs and documents which may be published online, and should as a matter of course ensure that staff are properly trained to avoid inappropriate data sharing and that processes are in place to safeguard personal data.
Separately, Google and the NHS have been in the news after the New Scientistrevealed the scale of the information sharing arrangement between the Google-owned technology company DeepMind and the Royal Free NHS Trust (which runs three London hospitals). DeepMind is developing an app to help with early identification and treatment of acute kidney problems, but the New Scientist – having seen the data sharing agreement – claimed that the arrangement "goes far beyond what has been publically announced" because it includes access to historical data (the previous five years of records) and a wider range of healthcare data than would be strictly necessary for identifying kidney problems alone (including realtime information on patient status regarding the 1.6 million patients who use the three Royal Free hospitals). In response to these concerns, DeepMind argues that the range of data is required because there is no separate dataset for people with kidney conditions and that they have implemented a rigorous 'information governance toolkit' which was given the highest possible certification approval by the Health and Social Care Information Centre.
In terms of the legal issues involved, the Royal Free's agreement with DeepMind clearly raises important questions around patient consent and data processing/sharing. The Trust itself does remain the data controller at all times and, according to the New Scientist, "The agreement clearly states that Google cannot use the data in any other part of its business. The data itself will be stored in the UK by a third party contracted by Google, not in DeepMind's offices. DeepMind is also obliged to delete its copy of the data when the agreement expires at the end of September 2017."
That does address potential concerns about 'data export' (as it seems the data will remain in the EEA at all times, such that the eighth data protection principle is not engaged) and 'data retention' (as the data will not be kept for any longer than is necessary for the purposes of the agreement, as required by the fifth data protection principle).
In its editorial, the New Scientist notes that, although there are likely to be considerable 'positives' (including, most obviously, public health benefits) from the development of data-driven health technology, serious questions remain over the issue of consent and just how well informed patients are as to how and why their personal information is being used. The Trust's own FAQs explain that it was not necessary to obtain explicit consent from patients because, in line with the Caldicott Information Governance Review principles, "health professionals may rely on implied consent when sharing personal data in the interests of direct care." It is possible for the Royal Free's patients to opt out, but they must contact the Trust's data protection officer to do so.
It may well be the case that because of Google's huge size and ambitions in so many different areas, people are instinctively nervous as soon as they see Google's name in a headline alongside "medical records". Indeed, it is hardly controversial to point out that most of the company's successful monetisation of products and processes comes from personal data analytics and Google is, at heart, an advertising company. For DeepMind's co-founder, Mustafa Suleyman, however, Google's involvement should reassure people concerned with privacy and data protection. He told the Guardian: "As Googlers, we have the very best privacy and secure infrastructure for managing the most sensitive data in the world. That's something we're able to draw upon as we're such a core part of Google."
Whether that allays privacy concerns remains to be seen. Moreover, as the New Scientist points out, if it is the case that this kind of data sharing could significantly help progress medical treatment for the benefit of patients, by being more open and enabling the public to be better informed, perhaps they would more easily "win our consent" for this kind of arrangement.
If you require further information on anything covered in this briefing please contact Alan Baker (firstname.lastname@example.org; 020 3375 7441) or your usual contact at the firm on 020 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, May 2016