Google DeepMind's deal with the NHS is being investigated by the UK data watchdog
The data protection watchdog told Computer Weekly that an investigation into the partnership, which gives Google DeepMind access to 1.6 million patient records, has been launched off the back of at least one complaint from the general public.
A complaint seen by Computer Weekly, reportedly questions whether Google DeepMind will be "expected to encrypt the patient data it receives when at rest."
It reportedly reads: "Whilst the information-sharing agreement insists that personally identifiable information - such as name, address, post code, NHS number, date of birth, telephone number, and email addresses, etc - must be encrypted whilst in transit to Google, it does not explicitly prohibit that data being unencrypted at the non-NHS location."
It's worth noting that the Royal Free NHS Trust states in a Q&A on its website that: "All information sent to and processed by DeepMind is encrypted both in transit to, and at rest within, the DeepMind Health cluster."
The data-sharing agreement between Google DeepMind and the Royal Free NHS Trust was obtained by New Scientist earlier this month. Through the agreement, Google DeepMind is able to see data completely unrelated to kidney function, including whether people are HIV-positive as well as details of drug overdoses and abortions.
Privacy campaigners have questioned why Google DeepMind has been given access to so much medical data without public consent.
The complainant reportedly took issue with this, claiming that it could put patient privacy at risk when employees at Google DeepMind's 250-strong AI lab in King's Cross access the data.
"It is usual for personal data to be pseudonymised to mask the true identity of the patient," the complaint said.
"In this contract it explicitly states: 'As this data is being held for direct patient care purposes, pseudonymisation is not required.' Therefore, there is some risk that personal data could be accessed at the non-NHS location."
The complainant told Computer Weekly that the ICO responded to their concerns on 10 May. The ICO reportedly told the complainant that staff had been assigned to probe the data-sharing arrangement in more detail.
An ICO spokesperson confirmed the assertion from the complainant, according to Computer Weekly.
"Any organisation processing or using people's sensitive personal information must do so in accordance with Data Protection Act," the ICO told Computer Weekly.
DeepMind cofounder Mustafa Suleyman defended the data-sharing agreement last week, saying: "As Googlers, we have the very best privacy and secure infrastructure for managing the most sensitive data in the world."
Business Insider has contacted Google and is waiting to hear back.