Royal Free NHS Trust & Google DeepMind

The request was successful.

Dear Royal Free London NHS Foundation Trust,

I would like to make a request under the FOI Act.

For the purposes of the Act, please take the date of your receipt of this request as Tuesday 3rd May 2016.

I note with interest two articles in the press this week:

https://www.newscientist.com/article/208...
http://www.theinquirer.net/inquirer/news...

Both of these refer to a data sharing agreement between Google-owned artificial intelligence company DeepMind and the Royal Free NHS Trust, and which gives DeepMind access to a wide range of healthcare data on the 1.6 million patients who pass through three London hospitals run by the Royal Free NHS Trust – Barnet, Chase Farm and the Royal Free – each year, as well as access to patient data from the last five years (via SUS).

The Royal Free Hospital will remain the official data controller in this instance.

I would be very grateful for the following information relating to this agreement.

• Please could you provide me with a copy of this data-sharing agreement between the Royal Free NHS Trust and DeepMind (I assume suitably redacted to remove commercially sensitive items such as £). I am particularly interested in the information governance arrangements detailed within that document

• Please could you provide me with all communication that the Royal Free NHS Trust has had with the Information Commissioner's Office (ICO) regarding this agreement, which may include, for example, advice about the legality of such an arrangement, requirements for fair processing information, and the rights and processes by which patients of those hospital can object to the processing of their personal confidential data by DeepMind, for both primary and secondary purposes

• Please could you kindly provide me with the fair processing information that you make available to patients, attending all those hospitals, regarding this new use of their personal confidential data (for example, poster, handouts, leaflets)

• Please could you provide me with the process (including any requisite forms that must be completed) by which patients can *completely* object to the passing of their personal confidential data to DeepMind for processing, for *both* primary and secondary uses. Such an objection would, of course, not prohibit medical staff within the hospitals from accessing the trusts' electronic hospital record for their direct medical care

• Please could you provide me with the process (including any requisite forms that must be completed) by which patients can object to the passing of their personal confidential data to DeepMind for processing for secondary uses *only* (that is, for purposes other than their direct medical care), including the pseudonymisation of personal confidential data for that reason. Such an objection would, of course, not prohibit medical staff within the hospitals from accessing their electronic hospital record for their direct medical care

The articles state that DeepMind will have access to the NHS' centralised record of all hospital treatments in the UK, dubbed the Secondary User Service (SUS) database.

At a patient's request, hospital trusts are required to remove all patient identifiable data (NHS number or name/address, local patient identifier (hospital number), DOB, postcode) from any SUS submission (CDS file) and render it anonymised and not pseudonymised. Guidance on such a process is available from the HSCIC :
http://www.hscic.gov.uk/media/9719/Schem...

Some hospital trusts produce straightforward SUS opt-out forms for patients to use, such as this one from Plymouth Hospitals
http://www.plymouthhospitals.nhs.uk/down...

• Please can you provide me with the opt-out form that patients of the Royal Free NHS Trust can use to request such anonymisation of their SUS data submissions

Patients might not be aware of the processing of their data by DeepMind in this way. When they do find out, and if there are unhappy about such an arrangement, they might wish to ensure that any such data about them that has been uploaded or passed to DeepMind is deleted completely.

• Please could you provide me with the process (including any requisite forms that must be completed) by which patients can request that any personal confidential data about them uploaded or passed to DeepMind is completely deleted, and that no further information is passed to DeepMind for either primary or secondary purposes. Such an objection would, of course, not prohibit medical staff within the hospitals from accessing their electronic hospital record for their direct medical care

As per Section 1(4) of the FOI Act
( http://www.legislation.gov.uk/ukpga/2000... ) I would like the information in question held at the time when my request is received (draft or otherwise), except that account may be taken of any amendment or deletion made between now and the latest time by which the information is to be communicated to me, being an amendment or deletion that would have been made regardless of the receipt of my request.

I would be grateful if you would be kind enough to send me the requested information promptly and in any event not later than the twentieth working day following the date of receipt of my request, which I make to be the 1st June.

If my request is denied in whole or in part, or specific items within the responses are withheld from disclosure, then you must justify all deletions by reference to specific exemptions of the act, as per Section 17 of the Act
( http://www.legislation.gov.uk/ukpga/2000... ). Where you rely on a qualified exemption to withhold disclosure, you are obliged to consider the public interest in your decision and the refusal notice must explain not only which exemption applies and why, but also the public interest arguments addressed in reaching the decision.

I would be grateful if you would kindly acknowledge receipt of this request as recommended by the ICO ("It would be good practice to acknowledge receipt of requests and to refer to the 20 working day time limit, so that applicants know their request is being dealt with").

Thank you very much once again, and I look forward to the information that I have requested, in accordance with the Act.

Yours sincerely,

Dr Neil Bhatia

Owen Boswarva left an annotation ()

Dr Bhatia,

I'm not sure those were the links you intended. The New Scientist article is from March and the Inquirer page is 404. You may have meant these:

https://www.newscientist.com/article/208...
http://www.theinquirer.net/inquirer/news...

The data sharing agreement itself has already been released under FOI, and New Scientist has put it on the web here:

https://drive.google.com/file/d/0BwQ4esY...

Dr Neil Bhatia

Dear Royal Free London NHS Foundation Trust,

Further to my request, it is apparent that the data sharing agreement is already in the public domain
https://drive.google.com/file/d/0BwQ4esY...

as linked to in this article:
http://motherboard.vice.com/read/uk-hosp...

and now also at:
https://dl.dropboxusercontent.com/u/1415...

Accordingly, I do not require it as part of my FOI request.

Instead, please could you also provide me with any privacy impact assessment that you have performed regarding this project.
Please take this request for the PIA as an addendum to my original request, rather than a new/separate FOI request.

Thank you very much.

Yours faithfully,

Dr Neil Bhatia

foi rf (ROYAL FREE LONDON NHS FOUNDATION TRUST), Royal Free London NHS Foundation Trust

Dear Sir

Thank you for your request under the Freedom of Information Act. The reference for this request is noted in the subject header above.

You will receive a response from us within 20 working days or an explanation as to why this is not possible.

Yours faithfully,

Freedom of Information Team
Royal Free London NHS Foundation Trust

Further to my request, it is apparent that the data sharing agreement is already in the public domain https://drive.google.com/file/d/0BwQ4esY...

as linked to in this article:
http://motherboard.vice.com/read/uk-hosp...

and now also at:
https://dl.dropboxusercontent.com/u/1415...

Accordingly, I do not require it as part of my FOI request.

Instead, please could you also provide me with any privacy impact assessment that you have performed regarding this project.
Please take this request for the PIA as an addendum to my original request, rather than a new/separate FOI request.

-----Original Message-----
From: Dr Neil Bhatia [mailto:[FOI #331981 email]]
Sent: 30 April 2016 11:34
To: foi rf (ROYAL FREE LONDON NHS FOUNDATION TRUST)
Subject: FOI 1310 Freedom of Information request - Royal Free NHS Trust & Google DeepMind

Dear Royal Free London NHS Foundation Trust,

I would like to make a request under the FOI Act.

For the purposes of the Act, please take the date of your receipt of this request as Tuesday 3rd May 2016.

I note with interest two articles in the press this week:

https://www.newscientist.com/article/208...
http://www.theinquirer.net/inquirer/news...

Both of these refer to a data sharing agreement between Google-owned artificial intelligence company DeepMind and the Royal Free NHS Trust, and which gives DeepMind access to a wide range of healthcare data on the 1.6 million patients who pass through three London hospitals run by the Royal Free NHS Trust – Barnet, Chase Farm and the Royal Free – each year, as well as access to patient data from the last five years (via SUS).

The Royal Free Hospital will remain the official data controller in this instance.

I would be very grateful for the following information relating to this agreement.

• Please could you provide me with a copy of this data-sharing agreement between the Royal Free NHS Trust and DeepMind (I assume suitably redacted to remove commercially sensitive items such as £). I am particularly interested in the information governance arrangements detailed within that document

• Please could you provide me with all communication that the Royal Free NHS Trust has had with the Information Commissioner's Office (ICO) regarding this agreement, which may include, for example, advice about the legality of such an arrangement, requirements for fair processing information, and the rights and processes by which patients of those hospital can object to the processing of their personal confidential data by DeepMind, for both primary and secondary purposes

• Please could you kindly provide me with the fair processing information that you make available to patients, attending all those hospitals, regarding this new use of their personal confidential data (for example, poster, handouts, leaflets)

• Please could you provide me with the process (including any requisite forms that must be completed) by which patients can *completely* object to the passing of their personal confidential data to DeepMind for processing, for *both* primary and secondary uses. Such an objection would, of course, not prohibit medical staff within the hospitals from accessing the trusts' electronic hospital record for their direct medical care

• Please could you provide me with the process (including any requisite forms that must be completed) by which patients can object to the passing of their personal confidential data to DeepMind for processing for secondary uses *only* (that is, for purposes other than their direct medical care), including the pseudonymisation of personal confidential data for that reason. Such an objection would, of course, not prohibit medical staff within the hospitals from accessing their electronic hospital record for their direct medical care

The articles state that DeepMind will have access to the NHS' centralised record of all hospital treatments in the UK, dubbed the Secondary User Service (SUS) database.

At a patient's request, hospital trusts are required to remove all patient identifiable data (NHS number or name/address, local patient identifier (hospital number), DOB, postcode) from any SUS submission (CDS file) and render it anonymised and not pseudonymised. Guidance on such a process is available from the HSCIC :
http://www.hscic.gov.uk/media/9719/Schem...

Some hospital trusts produce straightforward SUS opt-out forms for patients to use, such as this one from Plymouth Hospitals
http://www.plymouthhospitals.nhs.uk/down...

• Please can you provide me with the opt-out form that patients of the Royal Free NHS Trust can use to request such anonymisation of their SUS data submissions

Patients might not be aware of the processing of their data by DeepMind in this way. When they do find out, and if there are unhappy about such an arrangement, they might wish to ensure that any such data about them that has been uploaded or passed to DeepMind is deleted completely.

• Please could you provide me with the process (including any requisite forms that must be completed) by which patients can request that any personal confidential data about them uploaded or passed to DeepMind is completely deleted, and that no further information is passed to DeepMind for either primary or secondary purposes. Such an objection would, of course, not prohibit medical staff within the hospitals from accessing their electronic hospital record for their direct medical care

As per Section 1(4) of the FOI Act
( http://www.legislation.gov.uk/ukpga/2000... ) I would like the information in question held at the time when my request is received (draft or otherwise), except that account may be taken of any amendment or deletion made between now and the latest time by which the information is to be communicated to me, being an amendment or deletion that would have been made regardless of the receipt of my request.

I would be grateful if you would be kind enough to send me the requested information promptly and in any event not later than the twentieth working day following the date of receipt of my request, which I make to be the 1st June.

If my request is denied in whole or in part, or specific items within the responses are withheld from disclosure, then you must justify all deletions by reference to specific exemptions of the act, as per Section 17 of the Act ( http://www.legislation.gov.uk/ukpga/2000... ). Where you rely on a qualified exemption to withhold disclosure, you are obliged to consider the public interest in your decision and the refusal notice must explain not only which exemption applies and why, but also the public interest arguments addressed in reaching the decision.

I would be grateful if you would kindly acknowledge receipt of this request as recommended by the ICO ("It would be good practice to acknowledge receipt of requests and to refer to the 20 working day time limit, so that applicants know their request is being dealt with").

Thank you very much once again, and I look forward to the information that I have requested, in accordance with the Act.

Yours sincerely,

Dr Neil Bhatia

-------------------------------------------------------------------

Please use this email address for all replies to this request:
[FOI #331981 email]

Is [Royal Free London NHS Foundation Trust request email] the wrong address for Freedom of Information requests to Royal Free London NHS Foundation Trust? If so, please contact us using this form:
https://www.whatdotheyknow.com/change_re...

Disclaimer: This message and any reply that you make will be published on the internet. Our privacy and copyright policies:
https://www.whatdotheyknow.com/help/offi...

For more detailed guidance on safely disclosing information, read the latest advice from the ICO:
https://www.whatdotheyknow.com/help/ico-...

If you find this service useful as an FOI officer, please ask your web manager to link to us from your organisation's FOI page.

-------------------------------------------------------------------

********************************************************************************************************************

This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in reliance on its contents:
to do so is strictly prohibited and may be unlawful.

Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS staff in England and Scotland
NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and GSi recipients
NHSmail provides an email address for your career in the NHS and can be accessed anywhere

********************************************************************************************************************

hide quoted sections

Dear foi rf (ROYAL FREE LONDON NHS FOUNDATION TRUST),

Just a polite reminder that you are required to respond to my request promptly and no later than by the end of tomorrow, 31st May.

Kind regards,

Dr Neil Bhatia

Dear foi rf (ROYAL FREE LONDON NHS FOUNDATION TRUST),

You are overdue in responding to my FOI request.

Can I take it that I will receive a response by then end of today?

Kind regards,

Dr Neil Bhatia

foi rf (ROYAL FREE LONDON NHS FOUNDATION TRUST), Royal Free London NHS Foundation Trust

1 Attachment

Dear Dr Bhatia

 

Further to your request for information please see the response below in
red type.  You may also find the information we have published on our
website of interest – it is available at
[1]https://www.royalfree.nhs.uk/news-media/...

 

Your appeal rights

 

We hope that you will be satisfied with our response to your request, if
not you may ask us to review our decision in which case you should write
to Ms Emma Kearney, director of corporate affairs and communications,
Royal Free London NHS Foundation Trust, Pond Street, London  NW3 2QG,
explaining what you would like us to review and including your reference
number.  If you are not satisfied with the internal review, you can appeal
to the Information Commissioner.  The contact details are: Information
Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9
5AF, telephone 01625 545 700 or see [2]www.ico.org.uk

 

Yours sincerely

 

 

 

Alison Macdonald

Board Secretary

 

 

-----Original Message-----
From: Dr Neil Bhatia
[[3]mailto:[FOI #331981 email]]
Sent: 30 April 2016 11:34
To: foi rf (ROYAL FREE LONDON NHS FOUNDATION TRUST)
Subject: FOI 1310 Freedom of Information request - Royal Free NHS Trust &
Google DeepMind

 

Dear Royal Free London NHS Foundation Trust,

 

I would like to make a request under the FOI Act.

 

For the purposes of the Act, please take the date of your receipt of this
request as Tuesday 3rd May 2016.

 

I note with interest two articles in the press this week:

 

[4]https://www.newscientist.com/article/208...

[5]http://www.theinquirer.net/inquirer/news...

 

Both of these refer to a data sharing agreement between Google-owned
artificial intelligence company DeepMind and the Royal Free NHS Trust, and
which gives DeepMind access to a wide range of healthcare data on the 1.6
million patients who pass through three London hospitals run by the Royal
Free NHS Trust – Barnet, Chase Farm and the Royal Free – each year, as
well as access to patient data from the last five years (via SUS).

 

The Royal Free Hospital will remain the official data controller in this
instance.

 

I would be very grateful for the following information relating to this
agreement.

 

• Please could you provide me with a copy of this data-sharing agreement
between the Royal Free NHS Trust and DeepMind (I assume suitably redacted
to remove commercially sensitive items such as £). I am particularly
interested in the information governance arrangements detailed within that
document  The information sharing agreement is enclosed.  The precise
storage location has been redacted under section 43 (commercial
interests).

 

 

• Please could you provide me with all communication that the Royal Free
NHS Trust has had with the Information Commissioner's Office (ICO)
regarding this agreement, which may include, for example, advice about the
legality of such an arrangement, requirements for fair processing
information, and the rights and processes by which patients of those
hospital can object to the processing of their personal confidential data
by DeepMind, for both primary and secondary purposes – The trust is not
required to consult with the ICO in regard of any data sharing or data
processing agreements, however,

 

·         The NHS Confidentiality Code of Practice [p15(38)] states that
when patients agree to be treated in hospital, they “understand that some
information about them must be shared in order to provide them with care
and treatment”. The hospital (as the data controller) determines what data
processing needs to take place to deliver care. This process also covers
the multitude of other clinical systems in every NHS hospital that provide
essential electronic records, document management and pathology services.
It is implausible to consider that hospitals could function if they had to
seek informed consent for every clinical system they use.

·         The Fair Processing Notice issued by the Trust explains that
patient identifiable data will only be shared with third parties when it
is to be processed for direct patient care purposes. Patients have the
ability to opt-out of third-party data sharing by informing the trust’s
information governance lead they want to opt out.

 

 

• Please could you kindly provide me with the fair processing information
that you make available to patients, attending all those hospitals,
regarding this new use of their personal confidential data (for example,
poster, handouts, leaflets) – The trust has information on the public
website at  
[6]http://s3-eu-west-1.amazonaws.com/files....

 

• Please could you provide me with the process (including any requisite
forms that must be completed) by which patients can *completely* object to
the passing of their personal confidential data to DeepMind for
processing, for *both* primary and secondary uses. Such an objection
would, of course, not prohibit medical staff within the hospitals from
accessing the trusts' electronic hospital record for their direct medical
care – The trust’s  process is for the patient to contact the data
protection officer, as advised on the website.

 

• Please could you provide me with the process (including any requisite
forms that must be completed) by which patients can object to the passing
of their personal confidential data to DeepMind for processing for
secondary uses *only*  (that is, for purposes other than their direct
medical care), including the pseudonymisation of personal confidential
data for that reason. Such an objection would, of course, not prohibit
medical staff within the hospitals from accessing their electronic
hospital record for their direct medical care  - The trust’s  process is
for the patient to contact the data protection officer, as advised on the
website.

 

The articles state that DeepMind will have access to the NHS' centralised
record of all hospital treatments in the UK, dubbed the Secondary User
Service (SUS) database.

 

At a patient's request, hospital trusts are required to remove all patient
identifiable data (NHS number or name/address, local patient identifier
(hospital number), DOB, postcode) from any SUS submission (CDS file) and
render it anonymised and not pseudonymised. Guidance on such a process is
available from the HSCIC :

[7]http://www.hscic.gov.uk/media/9719/Schem...

 

Some hospital trusts produce straightforward SUS opt-out forms for
patients to use, such as this one from Plymouth Hospitals

[8]http://www.plymouthhospitals.nhs.uk/down...

 

• Please can you provide me with the opt-out form that patients of the
Royal Free NHS Trust can use to request such anonymisation of their SUS
data submissions The trust’s  process is for the patient to contact the
data protection officer, as advised on the website.

 

Patients might not be aware of the processing of their data by DeepMind in
this way. When they do find out, and if there are unhappy about such an
arrangement, they might wish to ensure that any such data about them that
has been uploaded or passed to DeepMind is deleted completely. The
trust’s  process is for the patient to contact the data protection
officer, as advised on the website.

 

               

• Please could you provide me with the process (including any requisite
forms that must be completed) by which patients can request that any
personal confidential data about them uploaded or passed to DeepMind is
completely deleted, and that no further information is passed to DeepMind
for either primary or secondary purposes. Such an objection would, of
course, not prohibit medical staff within the hospitals from accessing
their electronic hospital record for their direct medical care - The
trust’s  process is for the patient to contact the data protection
officer, as advised on the website.

 

As per Section 1(4) of the FOI Act

( [9]http://www.legislation.gov.uk/ukpga/2000... ) I would like
the information in question held at the time when my request is received
(draft or otherwise), except that account may be taken of any amendment or
deletion made between now and the latest time by which the information is
to be communicated to me, being an amendment or deletion that would have
been made regardless of the receipt of my request.

 

I would be grateful if you would be kind enough to send me the requested
information promptly and in any event not later than the twentieth working
day following the date of receipt of my request, which I make to be the
1st June.

 

If my request is denied in whole or in part, or specific items within the
responses are withheld from disclosure, then you must justify all
deletions by reference to specific exemptions of the act, as per Section
17 of the Act ( [10]http://www.legislation.gov.uk/ukpga/2000...
). Where you rely on a qualified exemption to withhold disclosure, you are
obliged to consider the public interest in your decision and the refusal
notice must explain not only which exemption applies and why, but also the
public interest arguments addressed in reaching the decision.

 

I would be grateful if you would kindly acknowledge receipt of this
request as recommended by the ICO ("It would be good practice to
acknowledge receipt of requests and to refer to the 20 working day time
limit, so that applicants know their request is being dealt with").

 

Thank you very much once again, and I look forward to the information that
I have requested, in accordance with the Act.

 

Yours sincerely,

 

Dr Neil Bhatia

 

-------------------------------------------------------------------

 

Please use this email address for all replies to this request:

[11][FOI #331981 email]

 

Is [12][Royal Free London NHS Foundation Trust request email] the wrong address for Freedom of Information
requests to Royal Free London NHS Foundation Trust? If so, please contact
us using this form:

[13]https://www.whatdotheyknow.com/change_re...

 

Disclaimer: This message and any reply that you make will be published on
the internet. Our privacy and copyright policies:

[14]https://www.whatdotheyknow.com/help/offi...

 

For more detailed guidance on safely disclosing information, read the
latest advice from the ICO:

[15]https://www.whatdotheyknow.com/help/ico-...

 

If you find this service useful as an FOI officer, please ask your web
manager to link to us from your organisation's FOI page.

 

 

-------------------------------------------------------------------

 

********************************************************************************************************************

This message may contain confidential information. If you are not the
intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or
take any action in reliance on its contents:
to do so is strictly prohibited and may be unlawful.

Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS
staff in England and Scotland
NHSmail is approved for exchanging patient data and other sensitive
information with NHSmail and GSi recipients
NHSmail provides an email address for your career in the NHS and can be
accessed anywhere

********************************************************************************************************************

References

Visible links
1. https://www.royalfree.nhs.uk/news-media/...
2. http://www.ico.org.uk/
3. mailto:[FOI #331981 email]
4. https://www.newscientist.com/article/208...
5. http://www.theinquirer.net/inquirer/news...
6. http://s3-eu-west-1.amazonaws.com/files....
7. http://www.hscic.gov.uk/media/9719/Schem...
8. http://www.plymouthhospitals.nhs.uk/down...
9. http://www.legislation.gov.uk/ukpga/2000...
10. http://www.legislation.gov.uk/ukpga/2000...
11. mailto:[FOI #331981 email]
12. mailto:[Royal Free London NHS Foundation Trust request email]
13. https://www.whatdotheyknow.com/change_re...
14. https://www.whatdotheyknow.com/help/offi...
15. https://www.whatdotheyknow.com/help/ico-...

hide quoted sections

Dr Neil Bhatia left an annotation ()

More information about NHS data sharing, including:

• care.data
• The Summary Care Record,
• The Hampshire Health Record
• The Berkshire Health Record (Connected Care)
• The Manchester Care Record
• The Stockport Health and Care Record
• The Salford Integrated Record
• The West Cheshire Care Record
• The North Staffs and Stoke-on-Trent Shared Record
• The Dorset Care Record
• Secondary uses of your information
• Local data streaming initiatives
• The HSCIC
• Google DeepMind & the Royal Free NHSFT

can be found at:

www.nhsdatasharing.info

foi rf (ROYAL FREE LONDON NHS FOUNDATION TRUST), Royal Free London NHS Foundation Trust

1 Attachment

  • Attachment

    Privacy Impact Assessment for Waking Project 27 Jan 2016 V0 1 redacted.pdf

    211K Download View as HTML

Dear Dr Bhatia

 

I note that in a subsequent communication you advised that you no longer
wished to receive a copy of the information sharing agreement but
requested a copy of the privacy impact assessment.  This is now enclosed
and apologies not to have enclosed this with our previous response.

 

Yours sincerely

 

 

 

Alison Macdonald

Board Secretary

 

 

 

From: foi rf (ROYAL FREE LONDON NHS FOUNDATION TRUST)
Sent: 01 June 2016 15:25
To: '[FOI #331981 email]'
Subject: FW: FOI 1310 Freedom of Information request - Royal Free NHS
Trust & Google DeepMind - response

 

Dear Dr Bhatia

 

Further to your request for information please see the response below in
red type.  You may also find the information we have published on our
website of interest – it is available at
[1]https://www.royalfree.nhs.uk/news-media/...

 

Your appeal rights

 

We hope that you will be satisfied with our response to your request, if
not you may ask us to review our decision in which case you should write
to Ms Emma Kearney, director of corporate affairs and communications,
Royal Free London NHS Foundation Trust, Pond Street, London  NW3 2QG,
explaining what you would like us to review and including your reference
number.  If you are not satisfied with the internal review, you can appeal
to the Information Commissioner.  The contact details are: Information
Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9
5AF, telephone 01625 545 700 or see [2]www.ico.org.uk

 

Yours sincerely

 

 

 

Alison Macdonald

Board Secretary

 

 

-----Original Message-----
From: Dr Neil Bhatia
[[3]mailto:[FOI #331981 email]]
Sent: 30 April 2016 11:34
To: foi rf (ROYAL FREE LONDON NHS FOUNDATION TRUST)
Subject: FOI 1310 Freedom of Information request - Royal Free NHS Trust &
Google DeepMind

 

Dear Royal Free London NHS Foundation Trust,

 

I would like to make a request under the FOI Act.

 

For the purposes of the Act, please take the date of your receipt of this
request as Tuesday 3rd May 2016.

 

I note with interest two articles in the press this week:

 

[4]https://www.newscientist.com/article/208...

[5]http://www.theinquirer.net/inquirer/news...

 

Both of these refer to a data sharing agreement between Google-owned
artificial intelligence company DeepMind and the Royal Free NHS Trust, and
which gives DeepMind access to a wide range of healthcare data on the 1.6
million patients who pass through three London hospitals run by the Royal
Free NHS Trust – Barnet, Chase Farm and the Royal Free – each year, as
well as access to patient data from the last five years (via SUS).

 

The Royal Free Hospital will remain the official data controller in this
instance.

 

I would be very grateful for the following information relating to this
agreement.

 

• Please could you provide me with a copy of this data-sharing agreement
between the Royal Free NHS Trust and DeepMind (I assume suitably redacted
to remove commercially sensitive items such as £). I am particularly
interested in the information governance arrangements detailed within that
document  The information sharing agreement is enclosed.  The precise
storage location has been redacted under section 43 (commercial
interests).

 

 

• Please could you provide me with all communication that the Royal Free
NHS Trust has had with the Information Commissioner's Office (ICO)
regarding this agreement, which may include, for example, advice about the
legality of such an arrangement, requirements for fair processing
information, and the rights and processes by which patients of those
hospital can object to the processing of their personal confidential data
by DeepMind, for both primary and secondary purposes – The trust is not
required to consult with the ICO in regard of any data sharing or data
processing agreements, however,

 

·         The NHS Confidentiality Code of Practice [p15(38)] states that
when patients agree to be treated in hospital, they “understand that some
information about them must be shared in order to provide them with care
and treatment”. The hospital (as the data controller) determines what data
processing needs to take place to deliver care. This process also covers
the multitude of other clinical systems in every NHS hospital that provide
essential electronic records, document management and pathology services.
It is implausible to consider that hospitals could function if they had to
seek informed consent for every clinical system they use.

·         The Fair Processing Notice issued by the Trust explains that
patient identifiable data will only be shared with third parties when it
is to be processed for direct patient care purposes. Patients have the
ability to opt-out of third-party data sharing by informing the trust’s
information governance lead they want to opt out.

 

 

• Please could you kindly provide me with the fair processing information
that you make available to patients, attending all those hospitals,
regarding this new use of their personal confidential data (for example,
poster, handouts, leaflets) – The trust has information on the public
website at  
[6]http://s3-eu-west-1.amazonaws.com/files....

 

• Please could you provide me with the process (including any requisite
forms that must be completed) by which patients can *completely* object to
the passing of their personal confidential data to DeepMind for
processing, for *both* primary and secondary uses. Such an objection
would, of course, not prohibit medical staff within the hospitals from
accessing the trusts' electronic hospital record for their direct medical
care – The trust’s  process is for the patient to contact the data
protection officer, as advised on the website.

 

• Please could you provide me with the process (including any requisite
forms that must be completed) by which patients can object to the passing
of their personal confidential data to DeepMind for processing for
secondary uses *only*  (that is, for purposes other than their direct
medical care), including the pseudonymisation of personal confidential
data for that reason. Such an objection would, of course, not prohibit
medical staff within the hospitals from accessing their electronic
hospital record for their direct medical care  - The trust’s  process is
for the patient to contact the data protection officer, as advised on the
website.

 

The articles state that DeepMind will have access to the NHS' centralised
record of all hospital treatments in the UK, dubbed the Secondary User
Service (SUS) database.

 

At a patient's request, hospital trusts are required to remove all patient
identifiable data (NHS number or name/address, local patient identifier
(hospital number), DOB, postcode) from any SUS submission (CDS file) and
render it anonymised and not pseudonymised. Guidance on such a process is
available from the HSCIC :

[7]http://www.hscic.gov.uk/media/9719/Schem...

 

Some hospital trusts produce straightforward SUS opt-out forms for
patients to use, such as this one from Plymouth Hospitals

[8]http://www.plymouthhospitals.nhs.uk/down...

 

• Please can you provide me with the opt-out form that patients of the
Royal Free NHS Trust can use to request such anonymisation of their SUS
data submissions The trust’s  process is for the patient to contact the
data protection officer, as advised on the website.

 

Patients might not be aware of the processing of their data by DeepMind in
this way. When they do find out, and if there are unhappy about such an
arrangement, they might wish to ensure that any such data about them that
has been uploaded or passed to DeepMind is deleted completely. The
trust’s  process is for the patient to contact the data protection
officer, as advised on the website.

 

               

• Please could you provide me with the process (including any requisite
forms that must be completed) by which patients can request that any
personal confidential data about them uploaded or passed to DeepMind is
completely deleted, and that no further information is passed to DeepMind
for either primary or secondary purposes. Such an objection would, of
course, not prohibit medical staff within the hospitals from accessing
their electronic hospital record for their direct medical care - The
trust’s  process is for the patient to contact the data protection
officer, as advised on the website.

 

As per Section 1(4) of the FOI Act

( [9]http://www.legislation.gov.uk/ukpga/2000... ) I would like
the information in question held at the time when my request is received
(draft or otherwise), except that account may be taken of any amendment or
deletion made between now and the latest time by which the information is
to be communicated to me, being an amendment or deletion that would have
been made regardless of the receipt of my request.

 

I would be grateful if you would be kind enough to send me the requested
information promptly and in any event not later than the twentieth working
day following the date of receipt of my request, which I make to be the
1st June.

 

If my request is denied in whole or in part, or specific items within the
responses are withheld from disclosure, then you must justify all
deletions by reference to specific exemptions of the act, as per Section
17 of the Act ( [10]http://www.legislation.gov.uk/ukpga/2000...
). Where you rely on a qualified exemption to withhold disclosure, you are
obliged to consider the public interest in your decision and the refusal
notice must explain not only which exemption applies and why, but also the
public interest arguments addressed in reaching the decision.

 

I would be grateful if you would kindly acknowledge receipt of this
request as recommended by the ICO ("It would be good practice to
acknowledge receipt of requests and to refer to the 20 working day time
limit, so that applicants know their request is being dealt with").

 

Thank you very much once again, and I look forward to the information that
I have requested, in accordance with the Act.

 

Yours sincerely,

 

Dr Neil Bhatia

 

-------------------------------------------------------------------

 

Please use this email address for all replies to this request:

[11][FOI #331981 email]

 

Is [12][Royal Free London NHS Foundation Trust request email] the wrong address for Freedom of Information
requests to Royal Free London NHS Foundation Trust? If so, please contact
us using this form:

[13]https://www.whatdotheyknow.com/change_re...

 

Disclaimer: This message and any reply that you make will be published on
the internet. Our privacy and copyright policies:

[14]https://www.whatdotheyknow.com/help/offi...

 

For more detailed guidance on safely disclosing information, read the
latest advice from the ICO:

[15]https://www.whatdotheyknow.com/help/ico-...

 

If you find this service useful as an FOI officer, please ask your web
manager to link to us from your organisation's FOI page.

 

 

-------------------------------------------------------------------

 

********************************************************************************************************************

This message may contain confidential information. If you are not the
intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or
take any action in reliance on its contents:
to do so is strictly prohibited and may be unlawful.

Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS
staff in England and Scotland
NHSmail is approved for exchanging patient data and other sensitive
information with NHSmail and GSi recipients
NHSmail provides an email address for your career in the NHS and can be
accessed anywhere

********************************************************************************************************************

References

Visible links
1. https://www.royalfree.nhs.uk/news-media/...
2. http://www.ico.org.uk/
3. mailto:[FOI #331981 email]
4. https://www.newscientist.com/article/208...
5. http://www.theinquirer.net/inquirer/news...
6. http://s3-eu-west-1.amazonaws.com/files....
7. http://www.hscic.gov.uk/media/9719/Schem...
8. http://www.plymouthhospitals.nhs.uk/down...
9. http://www.legislation.gov.uk/ukpga/2000...
10. http://www.legislation.gov.uk/ukpga/2000...
11. mailto:[FOI #331981 email]
12. mailto:[Royal Free London NHS Foundation Trust request email]
13. https://www.whatdotheyknow.com/change_re...
14. https://www.whatdotheyknow.com/help/offi...
15. https://www.whatdotheyknow.com/help/ico-...

hide quoted sections

Looking for an EU Authority?

You can request documents directly from EU Institutions at our sister site AskTheEU.org . Find out more .

AskTheEU.org