--- title: On neural networks and health data privacy layout: post --- Dear all, I am writing to complain about recent news reports in which Royal Free patient data, including my own, has been shared with Google. Firstly, to the extent permissible under English law, I wish to withdraw my consent for this information to be shared with Google or any other organization without my explicit consent. Secondly, I believe that this constitutes a breach of the data protection act and am extremely unhappy at comments made by the spokesperson of the Royal Free in a recent Guardian article. The spokesperson there said: "Our arrangement with DeepMind is the standard NHS information-sharing agreement set out by NHS England’s corporate information governance department and is the same as the other 1,500 agreements with third-party organisations that process NHS patient data." However, [the Privacy statement on the Royal Free website](https://www.royalfree.nhs.uk/patients-visitors/privacy-statement/) says something different. I have been acting under the belief that you would only share information with organizations providing care for me, by which I understood this to mean _direct_ care. Indeed, the privacy statement says "For your benefit we may need to share information from your health records with non-NHS organisations from whom you are also receiving care, such as social services or private healthcare organisations. We will share information with non-NHS organisations only with your permission if the information is required for purposes other than the provision of care to you." Google is not providing me care. I would assume, therefore, that this falls under the last of these clauses that requires explicit consent. ![The Royal Free privacy policy](/images/RFData.png) The Privacy statement on the Royal Free website does have the following provisions also for data release "in exceptional situations": * it is in the public interest – for example, there is a risk of death or serious harm * there is a legal need to share it – for example, to protect a child under the Children Act 1989 * a court order tells us that we must share it * there is a legitimate enquiry from the police under the Data Protection Act (1998) for information related to a serious crime. I cannot see that any of the last three items apply here. However, one might argue that this was done under the first of these clauses since it is for research into conditions that might cause others harm. However, in this case, this would not be an exceptional circumstance, since if it is claimed that research could help with a "risk of death or serious harm" to the general public, every researcher would use this clause and it would be common practice with no opt-out. I cannot see anything in the privacy statement that would reasonably allow a patient to foresee that you would give their medical history to a for-profit company running an immensely sophisticated neural network to see whether a predictive service can be built. As far as I am concerned, my patient confidentiality has been breached here along with all other patients at the Royal Free. I would greatly appreciate a response to this email that confirms that my consent has been withdrawn and that also addresses this second point. Yours, Martin Eve