The head of the Department of Health's National Data Guardian (NDG) has criticised the NHS for the deal it struck with Google's DeepMind over sharing patient data.
In a letter dated February and leaked to Sky News, Dame Fiona Caldicott throws doubt on the legality of sharing 1.6 million patient records.
Patients should have been informed about the deal, she says.
Google said that the deal was covered by "implied consent".
This rule exists to allow the NHS to share medical data with third parties for direct patient care, without informing patients about each deal.
In the case of the partnership with DeepMind, data was collected from patients at the Royal Free Hospital Trust in London in order to test an app to help doctors and nurses identify those who might be at risk of acute kidney disease.
In her letter to Prof Stephen Powis, medical director of the Royal Free Hospital in London, Dame Fiona said: "We keenly appreciate the great benefits that new technologies such as Streams can offer to patients, in terms of better, safer, more timely care."
But she added: "It is absolutely paramount that this is done in a transparent and secure manner, which helps to build public trust, otherwise the full benefits of such developments will not be realised , and indeed harm may be done."
She questioned the use of "implied consent" as the legal basis for the transfer of identifiable patient records, because the data was initially used just to test the app.
"My considered opinion therefore remains that it would not have been within the reasonable expectation of patients that their records would have been shared for this purpose," she says.
She has written to the Information Commissioner's Office (ICO), which is currently investigating the data-sharing deal and is due to report its findings imminently.
In response to the leaked letter, a Royal Free London representative said: "The Streams app was built in close collaboration with clinicians to help prevent unnecessary deaths by alerting them to patients in need in a matter of seconds.
"It is now in use at the Royal Free, and is helping clinicians provide better, faster care to our patients. Nurses report that it is saving them hours each day."
DeepMind said: "We're glad the NDG has said that further guidance would be useful to organisations which are undertaking work to test new technologies."
"The data used to provide the app has always been strictly controlled by the Royal Free and has never been used for commercial purposes or combined with Google products, services or ads - and never will be."