A 3rd celebration audit of a controversial affected person data-sharing association between a London NHS Belief and Google DeepMind seems to have skirted over the core points that generated the controversy within the first place.
The audit (full report right here) — carried out by regulation agency Linklaters — of the Royal Free NHS Basis Belief’s acute kidney harm detection app system, Streams, which was co-developed with Google-DeepMind (utilizing an current NHS algorithm for early detection of the situation), doesn’t look at the problematic 2015 information-sharing settlement inked between the pair which allowed knowledge to start out flowing.
“This Report incorporates an evaluation of the information safety and confidentiality points related to the information safety preparations between the Royal Free and DeepMind . It’s restricted to the present use of Streams, and any additional improvement, practical testing or scientific testing, that’s both deliberate or in progress. It’s not a historic assessment,” writes Linklaters, including that: “It consists of consideration as as to if the transparency, honest processing, proportionality and knowledge sharing considerations outlined within the Undertakings are being met.”
But it was the unique 2015 contract that triggered the controversy, after it was obtained and revealed by New Scientist, with the wide-ranging doc raising questions over the broad scope of the information switch; the authorized bases for sufferers info to be shared; and resulting in questions over whether or not regulatory processes meant to safeguard sufferers and affected person knowledge had been sidelined by the 2 important events concerned within the mission.
In November 2016 the pair scrapped and changed the preliminary five-year contract with a unique one — which put in place extra info governance steps.
Additionally they went on to roll out the Streams app to be used on sufferers in a number of NHS hospitals — regardless of the UK’s knowledge safety regulator, the ICO, having instigated an investigation into the unique data-sharing association.
And simply over a 12 months in the past the ICO concluded that the Royal Free NHS Basis Belief had didn’t adjust to Knowledge Safety Regulation in its dealings with Google’s DeepMind.
The audit of the Streams mission was a requirement of the ICO.
Although, notably, the regulator has not endorsed Linklaters report. Quite the opposite, it warns that it’s searching for authorized recommendation and will take additional motion.
In a assertion on its web site, the ICO’s deputy commissioner for coverage, Steve Wooden, writes: “We can not endorse a report from a 3rd celebration audit however we’ve got supplied suggestions to the Royal Free. We additionally reserve our place in relation to their place on medical confidentiality and the equitable responsibility of confidence. We’re searching for authorized recommendation on this concern and will require additional motion.”
In a piece of the report itemizing exclusions, Linklaters confirms the audit doesn’t contemplate: “The information safety and confidentiality points related to the processing of private knowledge in regards to the clinicians on the Royal Free utilizing the Streams App.”
So primarily the core controversy, associated to the authorized foundation for the Royal Free to move personally identifiable info on 1.6M sufferers to DeepMind when the app was being developed, and with out individuals’s information or consent, goes unaddressed right here.
And Wooden’s assertion pointedly reiterates that the ICO’s investigation “discovered plenty of shortcomings in the way in which affected person data had been shared for this trial”.
“[P]artwork of the enterprise dedicated Royal Free to fee a 3rd celebration audit. They’ve now accomplished this and shared the outcomes with the ICO. What’s essential now’s that they use the findings to deal with the compliance points addressed within the audit swiftly and robustly. We’ll be persevering with to liaise with them within the coming months to make sure that is occurring,” he provides.
“It’s essential that different NHS Trusts contemplating utilizing comparable new applied sciences pay regard to the suggestions we gave to Royal Free, and guarantee knowledge safety dangers are absolutely addressed utilizing a Knowledge Safety Affect Evaluation earlier than deployment.”
Whereas the report is one thing of a frustration, given the obvious historic omissions, it does elevate some factors of curiosity — together with suggesting that the Royal Free ought to in all probability scrap a Memorandum of Understanding it additionally inked with DeepMind, wherein the pair set out their ambition to use AI to NHS knowledge.
That is really useful as a result of the pair have apparently deserted their AI analysis plans.
On this Linklaters writes: “DeepMind has knowledgeable us that they’ve deserted their potential analysis mission into using AI to develop higher algorithms, and their processing is proscribed to execution of the NHS AKI algorithm… As well as, nearly all of the provisions within the Memorandum of Understanding are non-binding. The restricted provisions which can be binding are outmoded by the Companies Settlement and the Info Processing Settlement mentioned above, therefore we predict the Memorandum of Understanding has very restricted relevance to Streams. We advocate that the Royal Free considers if the Memorandum of Understanding continues to be related to its relationship with DeepMind and, if it’s not related, terminates that settlement.”
In one other part, discussing the NHS algorithm that underpins the Streams app, the regulation agency additionally factors out that DeepMind’s function within the mission is little greater than serving to present a glorified app wrapper (on the app design entrance the mission additionally utilized UK app studio, ustwo, so DeepMind can’t declare app design credit score both).
“With out intending any disrespect to DeepMind, we don’t assume the ideas underpinning Streams are notably ground-breaking. It doesn’t, by any measure, contain synthetic intelligence or machine studying or different superior know-how. The advantages of the Streams App as a substitute come from a really well-designed and user-friendly interface, backed up by strong infrastructure and knowledge administration that gives AKI alerts and contextual scientific info in a dependable, well timed and safe method,” Linklaters writes.
What DeepMind did carry to the mission, and to its different NHS collaborations, is cash and assets — offering its improvement assets free for the NHS on the level of use, and stating (when requested about its enterprise mannequin) that it could decide how a lot to cost the NHS for these app ‘improvements’ later.
But the business providers the tech large is offering to what are public sector organizations don’t seem to have been put out to open tender.
Additionally notably excluded within the Linklaters’ audit: Any scrutiny of the mission vis-a-vis competitors regulation, public procurement regulation compliance with procurement guidelines, and any considerations referring to attainable anticompetitive habits.
The report does spotlight one probably problematic knowledge retention concern for the present deployment of Streams, saying there may be “presently no retention interval for affected person info on Streams” — that means there isn’t a course of for deleting a affected person’s medical historical past as soon as it reaches a sure age.
“This implies the data on Streams presently dates again eight years,” it notes, suggesting the Royal Free ought to in all probability set an higher age restrict on the age of knowledge contained within the system.
Whereas Linklaters largely glosses over the chequered origins of the Streams mission, the regulation agency does make some extent of agreeing with the ICO that the unique privateness influence evaluation for the mission “ought to have been accomplished in a extra well timed method”.
It additionally describes it as “comparatively skinny given the dimensions of the mission”.
Giving its response to the audit, well being knowledge privateness advocacy group MedConfidential — an early critic of the DeepMind data-sharing association — is roundly unimpressed, writing: “The most important query raised by the Info Commissioner and the Nationwide Knowledge Guardian seems to be lacking — as a substitute, the report excludes a “historic assessment of points arising previous to the date of our appointment”.
“The report claims the ‘important pursuits’ (i.e. remaining alive) of sufferers is justification to guard towards an “occasion [that] would possibly solely happen sooner or later or not happen in any respect”… The one ‘important curiosity’ protected right here is Google’s, and its want to hoard medical data it was informed had been unlawfully collected. The important pursuits of a hypothetical affected person are usually not important pursuits of an precise knowledge topic (and the GDPR exams are demonstrably unmet).
“The ICO and NDG requested the Royal Free to justify the gathering of 1.6 million affected person data, and this authorized opinion explicitly supplies no reply to that query.”