Today I have published an exchange of correspondence between myself and the Information Commissioner about the Royal Free London NHS Foundation Trust’s sharing of the personally identifiable health data of its patients with DeepMind in 2015 and 2016. The use to which the shared data was put was very well-intentioned: to test a new app, Streams, which tracks acute kidney injury. But the legal basis used to justify the sharing of 1.6 million patients’ data – implied consent for direct care – was not appropriate. The Information Commissioner asked me to give an opinion on the use of this common law legal basis, and I advised her that it would not match with patients’ reasonable expectations about how their information might be used.
The Information Commissioner found that the Royal Free had not complied with data protection law and asked it to make changes, including commissioning an independent audit. Linklaters carried out this audit and reported its conclusions in May 2018. My panel and I disagreed with one of its key arguments: that whether or not confidentiality has been breached should be judged from the point of view of the clinician’s conscience, rather than the patient’s reasonable expectations. It is my firm view that it is the patient’s perspective that is most important when judgements are being made about the use of their confidential information. My letter to the Information Commissioner sets out my thoughts on this matter in some detail.
I do champion innovative technologies and new treatments that are powered by data. The mainstreaming of emerging fields such as genomics and artificial intelligence offer much promise and will change the face of medicine for patients and health professionals immeasurably. We are starting to see this transformation take hold as we look at the achievement of the 100,000 Genomes project and the establishment of the new NHS Genomic Medicine Service. Every week I read with great enthusiasm stories of Trusts, including the Global Digital Exemplars, that are pioneering cutting-edge treatments. But my belief in innovation is coupled with an equally strong belief that these advancements must be introduced in a way that respects people’s confidentiality and delivers no surprises about how their data is used. In other words, the public’s reasonable expectations must be met.
Patients’ reasonable expectations are the touchstone of the common law duty of confidence, and something that my panel and I have discussed often – amongst ourselves and with others – over the past few years. In April, my National Data Guardian Panel colleagues, Dr Mark J Taylor and Dr James Wilson, published as part of their academic work a paper in the Medical Law Review: Reasonable Expectations of Privacy and Disclosure of Health Data. It is a very convincing article which outlines the importance of reasonable expectations and explores how this principle might be used to support appropriate information sharing.
I do recognise that this is a complicated landscape which it can be hard for Trusts and other organisations to navigate. We have heard quite clearly – most recently during our public consultation earlier this year – that people are eager to do the right thing, but that determining what is the right thing isn’t always straightforward. Providers who are introducing new, data-driven technologies, or partnering with third parties to help develop and test them, have called for clearer guidance about respecting data protection and confidentiality. I intend to work with the Information Commissioner and others to improve the advice available so that innovation can be undertaken safely: in compliance with the common law and the reasonable expectations of patients. The National Data Guardian is currently supporting the Health Research Authority in clarifying and updating guidance on the lawful use of patient data in the development of healthcare technologies.
Last month, the Information Commissioner published an update concluding the case of the Royal Free, reporting that the Trust has now completed the actions required of it and there are no outstanding concerns, relating to data protection law. This matter has taken a lot of time and effort to resolve. But we hope that with clearer guidance, and by looking to this as a cautionary tale, other providers will be able to find a path to innovation that respects the trust and confidence of their patients and the public.