Google’s patented DeepMind faces privacy issues for AI health app
Following the Information Commissioner’s Office investigation nr. RFA0627721 named “Provision of patient data to DeepMind”, the Royal Free NHS Foundation Trust in person of its Chief Executive has been asked to comply with privacy, having found UK Data Protection Act of 1998 violations.
It is required to:
a) establish a proper legal basis under the Data Protection Act for the Google DeepMind project and for future trials;
b) set out how it will comply with its duty of confidence to patients in future trials;
c) assess the impact of trial on privacy ensuring transparency;
d) audit the trial sharing the results with the Information Commissioner who will have the right to publish them if appropriate.
How technology can change our lives
Technology undoubtedly changes our lives. Million persons are connected in the same moment: we can travel, shop and talk with our dearest ones without moving from our chair. But technology is not only connecting people even if this is the most immediate effect of this modernization era.
Technology improves science and research
Improved scientific research and refined acknowledgment is another effect of technologic innovation, thanks to data collecting.
Any single information stored is processed to a tailored customization of people: the number of times a specific disease is entered for a search, or how many patients suffering with it are registered in a hospital database, allows to know the rate of global incidence of that disease on humans and, as a consequence, allows a more targeted prevention.
Google acquired DeepMind, an AI start up
DeepMind is a start-up that Google acquired in 2014 with the specific intention to make it served to the health cause.
From its foundation in 2011, DeepMind is active in the machine learning and Artificial Intelligence field, with the goal to make them solving problem without specific program.
Machine learning and game solving
One of its most enthusiastic results is the development of an AI able to run, walk, jump and climb without any prior guidance.
It means that it is so much intelligent that it can choose and execute the moves by itself without a memory or a program teaching it what is right and what is wrong. A baby human cannot do it, for example.
Another impressive goal reached by DeepMind is an AI able to play a role game, selecting a winning strategy from the first move.
If you think to the robot playing chess and defeating humans thanks to a billion checks memory, it is not what DeepMind is actually thinking by its side. DeepMind challenges human ability in the ancient Asiatic GO game.
Here we have AlphaGo, an AI that looks, studies and emulates the best players’ moves, learning by itself which strategy is better than others, simulating real life problems to enhance its skills.
Artificial Intelligence served to health care
Apart from games, DeepMind takes advantage of this research for the health and science fields, creating a dedicated app to prevent kidney failure crisis.
That’s too bad that in order to develop the app, it shared with Google and the Royal Free National Health Security Foundation Trust something like 1,6 million English patient data without their prior consent.
ICO prohibits sharing data without patients’ prior consent
On February 2016 it comes to light that DeepMind on the account of Royal Free National Health Security Foundation Trust has shared without public consultation over one million patient information.
Due to inadequacies in the way information had been handed over, the Commissioner of ICO asked NHS and Google to comply with privacy and transparency rules.
The ICO Commissioner’s thesis
Information Commissioner Elizabeth Denham states that innovation cannot harm fundamental privacy rights and that DeepMind, Google and NHS has violated privacy rules with their project.
Instead of fining the undertaking, the Commissioner asks for changes to make to the project like sorting out a legal basis for future trials, comply with duty of confidence to patients, assess the impact of trial on privacy, audit the trial and share details with ICO.
The Royal Free National Health Service will cooperate
Royal Free NHS declares its fully cooperation to enhance the guidance ICO set out for future trials involving patient data. It accepts the findings of investigation and make sure to address requested changes in order to keep using the Streams app to help health care.
Google admits an “underestimating” of privacy rules
Google welcomes the resolution admitting an underestimation of the rules around patient data and of the impact of a tech company working in health. Indeed, Google states, the DeepMind has concentrated more on building facilities for clinicians than on the needs of patient and public.
The ICO does not fine Google’s patented undertaking nor the Royal Free NHS
The Commissioner finds that DeepMind processed approximately 1.6 million patients’ personal data for the purpose of the clinical safety testing of the Streams application violating the requirements of the Data Protection Act.
ICO outlines the parties’ roles
Regarding health data, ICO allows the use of patient data for wider public good like improving clinical care, supporting the development of innovative technological solutions.
Indeed, it is necessary to meet data protection mechanism set out in the Act. DeepMind and Royal Free NHS has entered into agreement effective between parties on September 30th 2015. The ICO considers NHS as a data controller and DeepMind as a data processor under the Act.
Shortcomings regarding privacy in the Streams app’s project
On the basis of this agreement, the parties carried out the project of Streams app with shortcomings in the processing of patient records resulting it in a noncompliance with data protection principles of Act.
The ICO investigations outlines a violation of principle of processing personal data fairly and lawfully, principle of adequate, relevant and not excessive personal data, principle of processing personal data in accordance with the rights of data subjects, principle of appropriate technical and organizational controls.
Preventing Acute Kidney Injury does not justify privacy violation
Data containing identifiable information held by NHS and shared with DeepMind for the purpose of clinical safety testing contains information on persons who had presented for treatment in the previous five years for tests and radiology electronic patient record system, as the Streams app is conceived as a tool to detect, diagnose and prevent Acute Kidney Injury for Royal Free NHS clinicians.
Principle of the Act supposed to be violated
But it leads to violation of principle since: data subjects entering into treatment were not adequately informed that the processing of their data was taking place; the processing of 1.6 million partial patient records is excessive for what is required for clinical safety testing; being unaware of the project, patients were unable to exercise their rights to prevent their data to be processed; the processing was not subject to a full privacy impact assessment.
For these reasons, the Commissioner asks Royal Free NHS as the data controller to comply with the Act in order to allow DeepMind to continue using data provided by the undertaking.
Measures imposed to Royal Free NHS to comply with the Act
Some measures should be taken by Royal Free NHS to comply with respectful practices of privacy outlined by the Act. Indeed, the Commissioner decides not to fine Royal Free NHS nor to disapprove the project but, in order to keep developing it, the parties are required to establish a proper legal basis under the Data Protection Act provisions not only regarding the current Google DeepMind project, but future trials too.
Then, Royal Free NHS should set out how it will comply with its duty of confidence to patients in future trials not before having assessed the impact of any trial on privacy.
They must encounter provisions about transparency ensuring any useful measure aimed to make the patient conscious of his data treatment and audit the trial sharing the results with the Information Commissioner who will have the right to publish them if they are assessed appropriate.
Technology and health care, a delicate matter of privacy
Privacy can represent a problem when personal data are involved in technology research.
Health care is a major issue for public and technology can offer instruments to improve and prevent health system but the fundamental need to process data goes against the fundamental right to protect individual information.
Even Google admitted having underestimated the impact of privacy into technology misusing protection measures that law provides addressing transparency and adequacy of information.
The Data Protection Working Party in EU
This is so true that, EU on 1996 provided itself with a Data Protection Working Party group, founded after the launch of the EU Commission’s Data Protection Directive.
It is composed of representatives from Member States data protection authorities with the scope to support authorities, promote Directive’s provision and give advice to Commission about internal data protection law application.
Italian medical apps do not pass privacy test
The group issued guidelines for mobile app developers, following an investigation by Italian internal authority that showed how medical apps lacked transparency and required excessive personal information