Google DeepMind absorbs patient data to improve the NHS, but is it legal?
With everything they touch, the current cohort of Artificial Intelligence and Machine Learning vendors promise to solve some of the world's biggest and most pressing issues and bring unparalleled positive changes to communities worldwide. Yet ironically, some of those same communities are expected to feel the strain of obsolescence as automation increasingly replaces human work, in a continual national and global quest for greater value for money. With that much at stake, it is perhaps no surprise the field holding the greatest promise to improve the lives of UK residents is healthcare.
Earlier this year, Google DeepMind began publishing its work with London's Royal Free Hospital. With an initial focus on delivering cost-effective healthcare operations, analysis, alerting and monitoring to NHS clinicians, this is seen as a stepping stone to directing DeepMind's considerable number crunching power to further medical discovery and treatment, in the hope of improving the process of healthcare and discover new treatments for illnesses that so far, have eluded medical discovery.
"UK NHS and medical services are still very manual, even when computers are involved" Said Ethar Alali, Director of Axelisys, one of Manchester's many innovation start-ups working in HealthTech.
"The NHS delivers an amazing level of service in the context of mounting financial pressures, staff shortages and the increasing demand or an aging population. A workforce of nearly 2 million staff is a lot of people! Even saving 1 hour per employee, per day has the potential to save the NHS up to £2 billion a year during working hours. That time can then be ploughed back to one-to-one patient care and shortening what are increasingly long waiting times."
Yet, like any analysis, comes the need to examine raw data. Something companies such as Google are exceptionally good at. Yet, Google's data collection mechanisms are being put under the spotlight.
"This may sound obvious, but patterns in data can only be found when you look at the data. We can 'theorise' as much as we like, but if the data isn't available, we simply can't prove our conclusions are robust. We may not be able to come to any conclusions at all, let along come to the necessarily surprising conclusions of pioneering discovery. Many pharmaceutical discoveries came about by accident. It's simply a universal truth that to find the necessary healthcare signals, we have to look at patient records.
“This naturally leads us to several ethical and privacy dilemmas in collecting and processing that data. The very reason the Data Protection Act was created to address all those years ago."
These problems hit Google this week, with the surprising referral of its work at the Royal Free Hospital to the ICO, by the hospital's own medical director, Prof Stephen Powis, who argues Google's, alleged gathering of patient information through "implied consent" isn't permitted in this context.
Ethar, who also acts as the chief data protection officer for Axelisys, who are on the ICO’s register, considers there to be a case to hear.
"Implied consent allows an organisation to collect unprotected information, usually information that cannot identify individuals, through the act of using of a resource. For example, most people may now be familiar with cookie popups exclaiming that 'by using this web site, you consent to the gathering of information for the purposes of improving the browsing experience'. All the individual visitor information is typically pooled together to decide on website improvements, as a cohort.
“The problem is, visiting Accident and Emergency is not like visiting a website. You cannot collect sensitive information through implied consent and it is this the ICO will have to determine."
Google has fallen foul of EU data protection regulations before. In 2014 the European Court of Justice ruled on the now infamous "Right to be forgotten" case, ordering Google and other search engines provide users with was to remove irrelevant or out of date personal information from search results.
"The Royal Free case isn't necessarily that clear cut. Not every piece of data available is necessarily personally identifiable. For example, optimising cleaning rotas or the amount of chemicals used in each mopping exercise. Such data doesn't require the use of explicit consent, nor any consent at all, like stock-taking in companies, they never reference a customer's personal information.
“However, DeepMind is searching for a kind of overall, global optima. This means looking at data which bridges both contexts, unidentifiable information and patient records. What the ICO is being asked to consider are the edges where one starts and the other ends. Things get a bit fuzzy around these edges and create conditions that legislators haven't necessarily considered before. The case will set a precedent, so it is important. We at Axelisys will certainly be watching and with the new General Data Protection Regulations set to supersede the Data Protection Act in May 2018, the result potentially shapes part of the acquis once the UK leaves the EU and creates an important baseline we'll have to live with for a very long time."
Google appear to be happy at the referral stating they will be glad of the clarity. The ICO is due to report its findings very soon and a lot of UK and European companies will be watching this space.
Update: The ICO has rules on the 16th May 2017. They considered that the transfer of 1.6m patient records to Google DeepMind had an “inappropriate legal basis”.