Dame Fiona Caldicott, the National Data Guardian, who is tasked with overseeing the privacy of patient records, raised concerns over an agreement between the tech company and the Royal Free NHS Trust to share data in order to trial an app which can help identify patients at risk of disease.
In a letter sent to Professor Stephen Powis at the Royal London and seen by Sky News, Caldicot said the sharing of 1.6 million identifiable patient records took place on an "inappropriate legal basis".
DeepMind has argued the data was used to test the Streams app it is trialling for direct clinical care. However, Caldicot said she believes it was not for the provision of direct care, and added that patient care was secondary to the purpose of testing the app.
She added she "did not believe that when the patient data was shared with Google DeepMind, implied consent for direct care was an appropriate legal basis".
Data that identifies patients can be shared if it is for direct care and is done so automatically across the NHS unless patients specifically chose to opt out.
Wherever patient data is used, it is absolutely paramount that this is done in a transparent and secure manner, which helps to build public trust, otherwise the full benefits of such developments will not be realised, and indeed harm may be done.
Caldicot's assessment will be passed on to the Information Commissioner's Office, which is investigating the agreement under data protection rules.
DeepMind's senior clinician scientist, Dominic King, told Sky News the company "could have done better" informing the public about how data was being used and that no patient data has been shared with Google.
Powis said "I think everybody's agreed that we need to test, and when that involves patient data - and if it includes using large quantities of patient data - yes, I think we absolutely need to look at that again, collectively, everybody in the system, and we need to understand the guidance around that."
A second agreement, which is not under investigation, was made between the tech company and the trust at the end of last year. It looked at the Streams app, which can help alert doctors and nurses to signs patients are at risk of kidney problems, and was tested out over the last three months.
Last week King lifted the lid on how information from more than 2,000 blood tests per day, on average, are being analysed through Streams. It will roll out the app to more teams within the trust to provide alerts for warning signs of other critical illnesses.
The company had gone to greater lengths to make its work with the NHS more transparent, unveiling a project using a "blockchain-like" technology to keep data both secure and its use transparent. It has also appointed a heavyweight team of tech and health experts to independently review its work.
In an update to DeepMind's website on Monday, it said that "despite our best efforts, we know that we’ll face challenges and make mistakes" and that it is "committed to sharing these openly, and hope that what we learn will be useful to others".