The NHS routinely shares patient data with other organisations, such as Google, but doesn’t think it is necessary to get permission because it is impractical. The NHS shares patients’ data with 1,500 outside organisations.
The Royal Free hospital in north London said NHS rules translate to implied permission. This was in connection with the 1.6 million patients’ private medical records, which the hospital has shared with Google to develop an app to identify patients at risk of kidney failure. This disclosure by the hospital shows the ease with which private companies and non-affiliated healthcare contractors can get access to patient data without seeking consent.
The Royal Free NHS Trust explained that health professionals have implied consent if sharing personal data can benefit direct care. The trust stated that the NHS has agreements with third-party organisations to share data, and many of these are crucial for effective and safe patient treatment. Hence, it would be impractical and unsafe to ask every patient for consent to the arrangements the NHS has with outside organisations.
The trust has reiterated that the data will not be sold. It has also stated that patients are free to opt out of the data sharing system the trust has by getting in touch with the hospital’s data protection officer.
These revelations were made after Imperial College Healthcare NHS Trust revealed that it too was negotiating a deal with Google to create an app to alert staff of patients in the hospital who were at risk of deterioration due to kidney failure.
However, St. Mary’s, located in Paddington, one of the hospitals under the Imperial College Healthcare NHS Trust, stated emphatically that it has not handed over patients’ medical records to DeepMind, Google’s artificial intelligence company based in London.
Privacy campaigners are worried that the agreement between the Royal Free NHS Trust and DeepMind would establish a precedent to share patient data with private firms and companies.