Security and Information Governance

Data security and privacy

Patients have the right to know that their health data is processed appropriately, and is handled with the utmost care and respect. We always have, and always will, hold ourselves to the highest legal and ethical standards. This includes working with trusts and regulatory bodies to obtain all approvals for any work we undertake. We rigorously train all of our staff to understand and abide by information governance for direct care and health research applications.

As a data processor for our partners in the Royal Free and Imperial College Healthcare NHS Trusts, the issue of data security is one we take seriously. 

For Streams to work safely, it has to present clinicians with all the necessary patient information required for them to make an accurate diagnosis and determine the right treatment. For AKI, for example, this information includes historical medical data such as previous illnesses and operations, allergies and previous blood tests results that can be compared to more recent blood tests.

In order to process this data, we first copy it from the Trust’s systems to our NHS Digital approved data centre located in the UK. This is done over an end-to-end encrypted link.

Once in our data centres, the data is stored in an encrypted database and only decrypted when it is needed for processing. The decrypted data and data derived from it is never stored on disk without first being re-encrypted. Data transmitted between machines is also end-to-end encrypted, and all equipment is physically secured within a locked cage. All backups within our systems are also conducted over secure, encrypted links.

Every access to patient data is logged. Those logs are regularly reviewed by our Information Governance team to ensure that accesses are legitimate, as well as being open to review by our Trust partners and our Independent Reviewers.

Similarly, all software used to process the data is subject to both internal review by our software engineers and security teams, and external oversight by our Independent reviewers.

Once data is no longer required, we permanently delete it from our systems. Where applicable, we also destroy any encryption keys associated with that data. Any storage device that is retired from service in our data centre is physically destroyed to ensure there is no possibility of data leakage or recovery. 

fullscreen fullscreen_mobile
A diagram showing the data flow through DeepMind Health's infrastructure from one of our partner Trusts

Information Governance

The legal framework covering the way patient data can be used and handled is necessarily strict and complex. It includes the NHS Act 2006, the Health and Social Care Act 2012, the Data Protection Act 1998, and the Human Rights Act 1998. This is an extremely important issue for patients, for clinicians and for us. The process through which we meet our obligations on patient data is known as ‘Information Governance’. We ensure that we always adhere to the highest standards of information governance in all our work, including working with trusts and regulatory bodies to obtain all approvals for any work we undertake.

Using technology for direct patient care

Direct patient care, as defined on NHS Digital's website, involves a multitude of third-party tools and services for the processing of patient data. From email servers to pagers, MRI scanners to heart monitors, the details of our physical condition are transmitted over systems built and maintained by companies rather than clinicians.

To enable the NHS to provide care to those who use health services, Trusts may in some cases need to ask third-party organisations to process identifiable data.

NHS Digital state that direct patient care includes: “clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals”. Under implied consent, the NHS has a number of agreements with third-party organisations to support direct care, many of which are vital to the safe and effective treatment of patients.

As Streams will help support clinicians in the NHS with the provision of direct care to patients, the apps will need access to identifiable patient data. In relation to any identifiable personal data that we are provided access to, we will at all times act as the “data processor” on behalf of the “data controller” (the NHS organisation that collects and owns the data).

This means that we will only ever process the identifiable personal data on the instructions of the relevant NHS organisation, under agreements containing strict obligations in relation to the use and protection of that data. You can read more about data processors and data controllers on the ICO website.

Prior to having any access to identifiable personal data from a data controller, we make an application to the information governance department of the NHS organisation in which the clinical app will be used. IG departments are bound by the rules of the Information Commissioner’s Office (ICO) and NHS Digital.

No identifiable personal data is processed, and no clinical apps are used, until the IG department indicates approval by signing an appropriate processing agreement. As a data processor our access is controlled by the data controller and our responsibilities are set out in an appropriate data processing agreement, such as our agreement with the Royal Free.

Any processing of information is always under strict guidelines and privacy protection, with the highest level of encryption and security to ensure that the data never falls into the wrong hands, and is always used only for the intended purpose outlined by the data controller.

Using technology for medical research

Research on patient data involves different approvals and permissions to the process for clinical apps.

For our research project with Moorfields Eye Hospital, all the patient data is non-identifiable and was previously collected in the course of normal care. DeepMind has been given permission for data access via a Research Collaboration Agreement with Moorfields Eye Hospital, and an approval to carry out research from the Moorfields Research & Development department through their Research On Anonymised Data (ROAD) approval pathway. The ROAD approval pathway ensures compliance to information governance guidelines, for safe use of NHS data. You can request a copy of the Research Collaboration Agreement and the Research On Anonymised Data (ROAD) form by emailing press.office@moorfields.nhs.uk.

Since the Research Collaboration Agreement was signed, we have submitted an application to the Health Research Authority for an extended version of this project which will allow us to combine the images over time. As part of this work we have published a research protocol on the open access website F1000Research.

Information Governance FAQ

  • What steps have you taken to protect patient data?

    Throughout the course of every project, DeepMind takes rigorous measures to protect the security of patient data.

    Before accessing any patient health data, we undertook a major project to design an information and data security architecture of the highest quality, working in partnership with medical and security experts to analyse and mitigate risks.

    In line with NHS Digital's processes, we completed a self-assessment of the IG toolkit, and assessed our compliance to be at Level 3, the highest level possible across each of their requirements. NHS Digital subsequently assessed our IG toolkit compliance, first remotely and then via an on-site audit at DeepMind. Both assessments verified that we had reached at least Level 2 (NHS Digital assessments do not, as standard, examine whether an organisation has reached Level 3, since the standard required by the Department of Health is Level 2).

    For our research project with Moorfields, a data custodian has been appointed by DeepMind Health to control access to the data. Only those who require access to conduct the research work will be granted access. All researchers who are involved in the study are required to complete NHS Digital and internal DeepMind information governance training before beginning research work.

    An update was made to the FAQ "What steps have you taken to protect patient data" on 22/07/16.
    We believed our Level 3 self-assessment had been verified by the NHS Digital when we received the "satisfactory" grading on their public website. Following discussion with the NHS Digital, we understand that their assessments only verify up to Level 2, since this is the Department of Health-required standard, and that while they allow self-assessment up to Level 3 they do not themselves usually verify compliance at that Level.

  • Why does DeepMind process identifiable data for its clinical apps?

    Streams processes identifiable data, such as blood test results and previous admissions and discharges, to support direct patient care by notifying doctors of patients who are at risk of Acute Kidney Injury (AKI). When a patient with AKI is identified it is necessary to point the clinicians to that patient, and as required by the NHS Digital interface guidelines we must display their name, date of birth, NHS number and gender within the app.

  • Does DeepMind have an unusual level of access to patient data?

    No. NHS organisations frequently contract data processing functions to third parties, up to and including full electronic patient records services.

    In the case of accessing data for direct patient care, the data processed for Streams is comparable to the data many other third party organisations also process. There are many recorded third-party organisations who have applied for and received some level of NHS Digital sign-off with the potential to be processing patient data at present.

    For medical research projects such as the Moorfields partnership, a look at some of the research publications listed on our website will show that machine learning algorithms benefit from large datasets on which to train, and like any study, the greater the volume of data, the more precise the result.

  • What regulations cover your use of data?

    Strict rules exist to ensure that third-party services protect data to the highest standards. In the case of our work with Royal Free London, this included making a NHS Digital information governance statement of compliance and ensuring our agreement in place with the Trust for processing of the data complied with the requirements of the Data Protection Act 1998.

    For DeepMind’s research partnership with Moorfields, we were provided with the anonymous data under a Research Collaboration Agreement with Moorfields Eye Hospital, and an approval to carry out research from the Moorfields Research & Development department through their Research On Anonymised Data (ROAD) approval pathway. The ROAD approval pathway ensures compliance to information governance guidelines, for safe use of NHS data.

    NHS data is only ever processed by DeepMind Health under the provisions of our agreements in place with the Trusts, and in compliance with both parties’ information governance requirements and applicable law. Our agreements ensure that patients' data will always be processed in England and won’t ever be linked or associated with Google accounts, products or services. We have established and will maintain the best information security practices, including technical protections, to safeguard this data.

  • How are the Information Governance policies enforced?

    All staff part of DeepMind Health must undergo NHS Digital training, as well as our internal training programme which specifically assesses their knowledge and compliance with the policies and procedures we have in place. Staff are subject to spot checks each month and their activity is audited as a part of that. In particular, we carry out incident simulations which ensure staff are confident of how to follow procedures during these event types. As part of employment contracts for all staff at DeepMind with access to sensitive personal information, there are severe penalties for any misuse or misappropriation of data up-to and including termination.

    Information Governance management is the responsibility of the Information Governance board at DeepMind Health. They meet once a month and cover key aspects of Information Governance such as reviewing data security reports, approving policy updates, monitoring training and reviewing the risk register. Any instructions given to us by the data controller (e.g. patient opt outs) are discussed during these meetings.

    DeepMind Health has also appointed a panel of Independent Reviewers who meet regularly to ensure independent oversight and scrutiny of all our healthwork. Each member is highly-respected within their fields and were selected to cover expertise spanning medicine, the NHS, technology and security.

  • Can I opt out of any hospital sharing data with a third party?

    DeepMind acts as a data processor on behalf of hospital Trusts, who remain the controller of patients’ data. DeepMind only processes data on the Trusts’ instructions, and we don’t determine their data processing policies.

    Patients who wish to discuss opting out should contact their Trust’s Patient Advice Liaison Service (PALS).

  • How do you protect against data leaks or cyber attacks?

    The DeepMind Health infrastructure has been designed and built to the highest security standards. We keep access to this infrastructure to an absolute minimum and commission expert security teams to conduct regular penetration tests. We have also had external penetration tests carried out by CREST certified consultants. All traffic in and out of the infrastructure is restricted and closely monitored; there are mechanisms which allow us to verify the presence of unusual or unapproved activity. The data itself is encrypted both in transit and at rest whilst we process it. Code is thoroughly reviewed and audited from a security perspective and we analyse any third party libraries we use for vulnerabilities.

Throughout the course of every project, DeepMind takes rigorous measures to protect the security of patient data.

Before accessing any patient health data, we undertook a major project to design an information and data security architecture of the highest quality, working in partnership with medical and security experts to analyse and mitigate risks.

In line with NHS Digital's processes, we completed a self-assessment of the IG toolkit, and assessed our compliance to be at Level 3, the highest level possible across each of their requirements. NHS Digital subsequently assessed our IG toolkit compliance, first remotely and then via an on-site audit at DeepMind. Both assessments verified that we had reached at least Level 2 (NHS Digital assessments do not, as standard, examine whether an organisation has reached Level 3, since the standard required by the Department of Health is Level 2).

For our research project with Moorfields, a data custodian has been appointed by DeepMind Health to control access to the data. Only those who require access to conduct the research work will be granted access. All researchers who are involved in the study are required to complete NHS Digital and internal DeepMind information governance training before beginning research work.

An update was made to the FAQ "What steps have you taken to protect patient data" on 22/07/16.
We believed our Level 3 self-assessment had been verified by the NHS Digital when we received the "satisfactory" grading on their public website. Following discussion with the NHS Digital, we understand that their assessments only verify up to Level 2, since this is the Department of Health-required standard, and that while they allow self-assessment up to Level 3 they do not themselves usually verify compliance at that Level.