Large Scale Health Data Transfers Attract UK Attention
Large scale data sales have become a contentious election issue (just not the election you are probably thinking about). The National Health Service (NHS) is the system of public healthcare providers in the United Kingdom. NHS holds unique medical datasets of the UK’s population from birth to death.
In September, five NHS trusts agreed to data processing contracts with Google Health. Similar deals in the past have included transfers of anonymized data such as treatment dates, medical history, diagnoses, ethnic origin and religion. The contract includes giving Google five years’ worth of patient data in bulk as part of a contract novation process. The data is being stored by on Google’s cloud infrastructure, which NHS guidelines allow for, on servers in the United Kingdom, and backed up elsewhere in the European Union. The NHS national opt-out gives patients the right to opt out of their data being shared with Google, and is subject to the GDPR.
Two years ago, European authorities determined that the Royal Free NHS Foundation Trust failed to comply with the Data Protection Law. The Trust originally agreed to share 1.6 million patients’ medical records with DeepMind to work on an alert system for acute kidney injuries. The parties were required to establish “a proper legal basis” and be more transparent on handling patients’ privacy.
Recent reports indicate that Google has legally accessed information from more than 2,600 hospitals as part of a machine-learning project code-named Nightingale. The effort includes a plan to build a search tool for medical professionals that could make recommendations for prescriptions, diagnoses, and patient care teams. Project Nightingale is subject to strict regulations on handling patient data, and its Business Associate Agreement provides that the patient data collected cannot be used for any other purpose than for providing its services. Google Health has also published a white paper around its data being encrypted and isolated in the cloud.
Despite the legal and regulatory safeguards, transfers of health care information come with a heavy dose of suspicion. Most data sharing between healthcare and technology companies involve de-identified data. But certain forms of data, such as information from fitness devices and search engines, are often unregulated and have identities and addresses attached. But there is a competing tension as the data provides researchers and companies a chance to advance medical science.
NHS and Amazon recently entered into a Master Content License Agreement, which provides Amazon with “a non-exclusive, worldwide, perpetual, irrevocable and royalty-free license to use, distribute, reproduce, display, transmit, perform, excerpt, reformat, adapt or otherwise create derivative works” from the NHS Direct website. Amazon also insists that this information will not be used for marketing purposes.
On the heels of large health data deals, the political discourse around information and data transfers has become polarizing and prominent. These issues have escalated into being a central issue in the December 12 general election. Prime Minister Johnson’s opponents accuse him of having plans to include the NHS in a post-Brexit trade deal with the United States. The prime minister has denied that there is any intention to include the NHS in trade talks. Leaked minutes of meetings between officials from the United States and United Kingdom officials obtained by Labour Party leader Jeremy Corbyn suggested that the free flow of data to American healthcare companies would be a part of ongoing negotiations.
The suspicion of large health care data transfers allows for the discussion of cybersecurity and privacy to be a prominent election in the United Kingdom. We will see if the American voting public follows the lead of their British counterparts in 2020.