Question to the Department of Health and Social Care:

To ask the Secretary of State for Health, what assessment he has made of the effect on patient confidentiality of the decision by NHS Royal Free Foundation Trust to grant DeepMind access to NHS patient records; and if he will make a statement.

Individual organisations providing National Health Service care are the data controllers for the information that they hold, and are responsible for ensuring that there is a legal basis for sharing confidential patient information with a third party.

Individual organisations must ensure that where patient consent is the basis for information sharing that patients are fully informed about the purposes for which personal information might be processed and with whom they might share information. Where a NHS organisation has contracted a third party to process personal information on its behalf to support the provision of direct care to patients the individual organisation must ensure that it has contractual safeguards in place to prevent the third party from using the data for purposes other than those determined by the NHS organisation.

NHS organisations should not share confidential patient information where the patient has objected – except in cases where there is a legal requirement to share data or an overriding public interest.