UK watchdog “close” to verdict in DeepMind Health data consent probe

The UK’s data protection watchdog has said it’s “close” to concluding a 10-month+ investigation into consent complaints pertaining to a patient data-sharing agreement inked between Google-owned DeepMind and the Royal Free NHS Trust which operates three hospitals in London.

The ICO began its probe in May last year — after details emerged, via a FOI request made by New Scientist, of the large quantity and scope of patient identifiable data being shared with DeepMind by the Trust. The arrangement, inked in fall 2015, had been publicly announced in February 2016 but details of which and how much patient data was involved in the arrangement were not shared.

Contacted for an update on the investigation today, an ICO spokesperson told TechCrunch: “Our investigation into the sharing of patient information between the Royal Free NHS Trust and Deep Mind is close to conclusion.”

Under the DeepMind-Royal Free arrangement, the Google-owned AI company agreed to build an app wrapper for an NHS algorithm designed to alert to the risk of a person developing acute kidney injury.

Patient data for the Streams app was obtained without patient consent, with DeepMind and the Trust arguing it is unnecessary as the app is used for ‘direct patient care’ — a position that has been challenged by critics, and is being reviewed by regulators.

The ICO spokesperson added: “We continue to work with the National Data Guardian and have been in regular contact with the Royal Free and DeepMind who have provided information about the development of the Streams app. This has been subject to detailed review as part of our investigation. It’s the responsibility of businesses and organisations to comply with data protection law.”

The medical records of some 1.6 million individuals are thought to be passed to DeepMind under the arrangement, although the data sharing is dynamic so there’s no static figure. Data shared under the arrangement includes real-time inpatient data from the Trust’s three hospitals across multiple departments, as well as historical in-patient data going back five years.

As TechCrunch reported last August, the UK’s National Data Guardian (NDG) has also been reviewing how patient data was shared by the Trust. A spokeswoman confirmed today it is still liaising with the ICO in its investigation.

Legal experts continue to dispute Deepmind and the Royal Free’s interpretation of NHS information governance guidelines — including in a new academic paper, published today in the journal Health and Technology, entitled Google DeepMind and healthcare in an age of algorithms, which calls for more to be done to regulate data transfers from public bodies to private firms.

The study argues that “inexcusable” mistakes were made by the Royal Free and DeepMind, questioning the legal and ethical basis of Trust-wide data transfers, and criticizing the lack of transparency around the arrangement. The paper is authored by Dr Julia Powles, a research associate in law and computer science at the University of Cambridge, and Hal Hodson, a journalist with The Economist who obtained and published the original data-sharing agreement when working at New Scientist.

Neither DeepMind nor the Royal Free NHS Trust responded to our requests for comment on the study. But a spokesperson for the NDG told TechCrunch: “Our consideration of this matter has required a thorough approach in which the NDG and her panel have kept patients’ rightful expectations of both good care and confidentiality at the forefront of discussions.”

“The NDG has provided a view on this matter to assist the ICO’s investigation and looks forward to this being concluded as soon as practicable,” the spokesperson added.

The original data-sharing agreement between the Royal Free and DeepMind was superseded by a second deal signed in November 2016 — which continued the sharing of broadly similar data types but included a commitment by the pair to publish “key agreements”, and introduced what they described as “an unprecedented level of data security and audit” — in a bid to win trust in the wake of controversy over the arrangement.

The pair have always said patient data used for Streams is not being used by DeepMind to train AI models but a separate memorandum of understanding between them — dated January 2016 — sets out broader ambitions for their partnership to start applying artificial intelligence to Trust-held medical data to seek to accelerate and enhance clinical outcomes. (Which, as we have noted before, introduces another set of consent considerations for accessing sensitive and valuable publicly funded data.)

The scope of the partnership between DeepMind and the Royal Free has also expanded since the first data-sharing arrangement, with the pair detailing plans last fall for the company to also build a data-sharing access infrastructure for the Trust — which will position DeepMind to facilitate/broker app developers’ access to NHS patient data via an API in the future.

DeepMind has also said it intends to build a technical audit infrastructure to try to offer verifiable data access audits of how patient data is being used. Although, earlier this month, the company confirmed this infrastructure will not be in place in the near term — saying only that it hopes to have the “first pieces” of the centralized digital ledger implemented this year, emphasizing the difficulties and challenges involved in building it.

Meanwhile, the Streams app has been rolled out to Royal Free hospitals, and patient identifiable data continues to flow to the Google-owned company — which is also now being paid by the Royal Free for its services. Commercial terms of the arrangement between DeepMind and the Trust have never been disclosed. Attempts to obtain the charging and invoicing details of the arrangement via FOI have been declined on “commercial sensitivity” grounds.