THE INFORMATION COMMISSIONER'S OFFICE (ICO) has confirmed that it will be casting its eye over the controversial data-sharing deal between Google Deepmind and the NHS.
Computer Weekly has the scoop, having received confirmation from the ICO that it has launched an investigation into the deal following at least one complaint from the general public.
A complaint seen by Computer Weekly, questions whether Google DeepMind will be "expected to encrypt the patient data it receives when at rest."
"Whilst the information-sharing agreement insists that personally identifiable information – such as name, address, post code, NHS number, date of birth, telephone number, and email addresses, etc – must be encrypted whilst in transit to Google, it does not explicitly prohibit that data being unencrypted at the non-NHS location,” the complaint reads.
News of the data sharing agreement was first revealed back in April.
First uncovered by New Scientist, the between the human-crushing AI company and the Royal Free Hospital Trust - which oversees Barnet, Chase Farm and the Royal Free hospitals - means that the DeepMind holds data on NHS patients who are HIV-positive, for example, as well as those who have had abortions or drug overdoses.
Back in February, DeepMind said it would be working with the NHS to build an app called Streams. The purpose of the app was to help hospital staff monitor patients with kidney disease, but the agreement suggests that other information will also be slurped up by DeepMind.
Despite the document stating that Google cannot use the data in any other part of its business, privacy campaigners will be wary of the access that online information giant Google potentially has to this data, which includes logs of hospital activity and results of various pathology and radiology tests.
The data will be stored at an "ISO28001 accredited location" with a third-party contractor, the agreement states, and will not be stored or processed at DeepMind offices, except for ordinary remote development and administration. After the project ends on 29 September, data held will have to be transferred back to the hospital, with any residual data destroyed.
The agreement states that data processed for purposes other than for the direct care of the patient "must be pseudonymised".
DeepMind's access to the NHS's centralised record of all hospital treatments in the UK, dubbed the Secondary User Service (SUS) database, means that it has access to historical data from the last five years. DeepMind says that its intention is to give doctors support in making clinical decisions with the help of a broad range of data, as opposed to automating clinical decisions. It will do this using a new ‘analytics as a service' platform that it's developing called Patient Rescue.
It is unknown what opt-out mechanisms are available to patients. The government has a chequered past when it comes to opt-outs, only this month did the Health and Social Care Information Centre (HSCIC) agree to implement opt-outs of its controversial care.data programme, two years after some patients had already opted out. The fact that the Information Commissioner already stated that some of these patients who had opted out, may have still had their data shared, shows that the NHS may well do the same in this instance, and could continue to tie-up agreements with vendors before patients have the chance to opt-out.
The Royal Free Hospital will remain the official data controller in this instance, and DeepMind has stated that staff who handle the data will have undergone information governance training and have signed a confidentiality agreement as part of their employment contract. Meanwhile, any personal identifiable data related to the project that is held on electronic media "will be overwritten so that it is not recoverable". And any personal identifiable data related to the project held on paper or disposal media "will be shredded".
Google claims that it has no commercial plans for DeepMind's work with the Royal Free NHS Trust. µ
This weeks in-brief Google News
To replace them with younger models
Security firm warns that IoT devices are the next target
But don't go expecting any new MacBooks