The murky world of Information Governance in the NHS has been further stirred by the story of the arrangements between the Royal Free Trust and Google UK.
The BBC and others have reported a “data-sharing agreement” between the two. Google will use data derived from access to 1.6 million patient records to develop an app known as Streams that will alert doctors when someone is at risk of developing acute kidney injury.
The agreement (or at least a part of it – there may be more) may be found here. It is headed “Information Sharing Agreement”. It states however quite clearly that Royal Free is at all times the data controller, and Google just a processor. If that is correct it is a data processing agreement or contract not an information sharing agreement. The two are quite distinct though they may run in parallel.
Categorising it as a processing agreement may well account for much of Royal Free’s confidence, see original BBC article and this follow up, that the arrangement breaches neither the data protection principles nor the law of confidentiality.
However it is not entirely clear whether the agreement fully complies with principle 7 of the Data Protection Act which requires a “contract”. Does the document disclose any consideration? Are Google being paid? Who will own the rights to develop and exploit any app or product they develop? Perhaps Google is getting something wider out of this arrangement – e.g. a proof of technology platform? What, really, is the “purpose” as rather vaguely set out at the top of page 3? Whose purposes are these?
Putting those concerns to one side, there is a more fundamental problem. Saying Royal Free is the data controller and Google a mere processor simply does not make it so. These terms are legally defined in section 1 of the Act and illustrated in the ICO guidance.
As noted above it looks pretty clear to an outsider that Google has its own purposes in relation to the use of this data – if that is in any way true they are a data controller as well.
One should also ask what degree of independence that Google has in determining how and in what manner the data is processed. Are Royal Fee really, or indeed competent, to direct Google in its endeavours? If you look at the ICO guidance and examples, and assume ICO is competent in this field, it is almost impossible as an outsider to conclude that Google, with all its specialist skills and knowledge as a data analyst, is not acting, in part, as a data controller. Consider in particular the ICO examples at paragraphs 29-30, and 46-47.
So perhaps it IS a data sharing agreement after all. In which case, as others have commented, it is difficult to see how it complies with the Data Protection Act. Google will be processing sensitive personal data and no Schedule 3 condition in the Act appears to apply. They have no explicit consent and Schedule 3 Condition 8 is not apt.
Further, if in any way Google’s processing as a controller goes beyond that of the direct care of those patients with acute kidney injury, as it seems it surely must, then there is a breach of medical confidentiality which cannot be overcome. Consent to share records other than for direct care cannot be implied and can only be overcome by a dispensation under s251 of the NHS Act 2006 and a search of the current register does not suggest any approval has been given. Perhaps not surprising given the apparently erroneous casting (albeit misnamed!) of the arrangement as merely “data processing”.