BillionPhotos.com - Fotolia
An independent review of Google-owned DeepMind Health has found that as privacy concerns are heightened, the company must assure the public that their data is safe.
The review, conducted by an independent panel set up to scrutinise the company, said DeepMind must provide more transparency to gain public trust.
The company has previously come under fire for its NHS data-sharing deal, and the review said it still had room for improvement.
One of the key issues continues to be around data, particularly in the current climate, where “the tide of public opinion has turned strongly against the tech giants”, the review said.
It added that, in the light of the Facebook and Cambridge Analytica scandal, it is “hardly surprising that the public should question the motivations of a company so closely linked to Google as DeepMind Health”.
“Furthermore, DeepMind Health works with medical information, something that is regarded as deeply personal and therefore attracts greater scrutiny,” the review said.
It pointed out that the public needs reassurance about the company’s business model, and that if it involves selling data, “either in a de-personalised form or in a raw form”, there would be “considerable sensitivity”.
“There would also be very significant concerns if any of the data were used to tune advertising,” it said.
The review panel added that as far as it is aware, none of these options are “envisaged or considered as desirable revenue sources” by DeepMind Health.
“Alternatively, it is possible that DeepMind Health is not intended to make money,” the review said. “It could be thought of as a not-for-profit, whose purpose is building the brand for DeepMind or Alphabet, or driving the use of other Google services, for instance cloud storage, rather than making money. It could even be envisaged as a charitably-minded venture driven by an altruistic desire to improve health.”
The review added that DeepMind should clearly state its intentions to the public, to avoid the public assuming that its work is purely driven by profit.
Read more about DeepMind and the NHS
- Data protection watchdog the Information Commissioner’s Office investigates the NHS data-sharing deal with Google DeepMind, after a complaint from the public.
- National data guardian for health and care says the NHS data-sharing deal with Google DeepMind, which relied on implied consent from patients, was made on an inappropriate legal basis.
- Information Commissioner’s Office finds that the controversial NHS data-sharing deal with Google DeepMind did not fully comply with the Data Protection Act.
DeepMind was bought by Google in 2014, which in turn is owned by Alphabet, and the review said its relationship with its parent company also needs clarity.
DeepMind says on its website that data will never be connected to Google accounts or services, but the review panel said that is not clear enough.
It said that this statement “might be taken to mean that, for example, DeepMind Health would only use non-Google cloud services”, adding that one of its projects with Cancer Research UK states that it will indeed use a Google cloud service.
The review added that without a transparent business model, people are likely to suspect a hidden agenda, and that DeepMind also needs to specify how it indents do work with other parts of Alphabet and what data “could ever be transferred to them”.
Responding to the independent review, DeepMind said it is currently developing its longer-term business model and will share its ideas once they have progressed further.
“Rather than charging for the early stages of our work, our first priority has been to prove that our technologies can help improve patient care and reduce costs,” said DeepMind. “We believe that our business model should flow from the positive impact we create, and will continue to explore outcomes-based elements so that costs are at least in part related to the benefits we deliver.”
The main reason that DeepMind Health has been criticised so heavily is its data-sharing deal with the Royal Free Hospital NHS Foundation, through which the company has access to the identifiable healthcare records of 1.6 million patients in order to test its Streams application.
The Streams app aims to help clinicians identify people at risk of acute kidney injury by sending alerts to doctors and nurses, helping them to prioritise those who need immediate intervention. During 2018, Streams will also be deployed in a number of other NHS trusts, including Imperial College Health NHS Trust, Yeovil District Hospital NHS Foundation Trust and Taunton and Somerset NHS Foundation Trust.
However, the initial project drew criticism, and in May 2016, the Information Commissioner’s Office (ICO) launched an investigation into the deal after receiving complaints from the public.
In July 2017, the ICO ruled that the deal did not fully comply with the Data Protection Act (DPA), and said it found “a number of shortcomings in the processing of patient records” that amounted to “non-compliance” with several DPA principles.
Data-sharing deal lawful
The ICO told the Royal Free that it was allowed to continue using the app and noted that it had agreed to make the necessary changes, including establishing a proper legal basis for the project and any future trials, as well as setting out how it will comply with its “duty of confidence to patients” in the future.
The Royal Free commissioned a legal audit by law firm Linklaters, published in June 2018, which, in contrast to the ICO, found the hospital’s use of Streams to be completely lawful, complying with data protection laws.
“We have concluded that the use of confidential patient information for testing is lawful, provided that it is genuinely necessary for that purpose,” the auditor said.
It added that the Royal Free has “not breached its duty of confidence to patients through the operation of Streams”, and would not do so in the future as long as the use of confidential information is necessary to test the application, that the amount of information used is kept to a minimum, and that there are right controls in place”.
Commenting on the audit, ICO deputy commissioner Steve Wood said the ICO could not “endorse a report from a third-party audit”, but it had provided feedback to the hospital.
“We also reserve our position in relation to their position on medical confidentiality and the equitable duty of confidence,” said Wood. “We are seeking legal advice on this issue and may require further action.”
The Royal Free’s chief medical officer, Chris Streather, said the trust “welcomes the outcome of the audit, which confirms that our use of Streams complies with data protection laws, and would like to thank the Information Commissioner’s Office for their assistance throughout this process”.