secondary use of personal data itechlaw - kemp it la … · •v1.0 ‘big data and data...
TRANSCRIPT
SecondaryUseofPersonalDataRecentUKDevelopments
RichardKemp,KempITLaw20th October2017
PresentationtoITECHLAW2017EuropeanConference,Stockholm
framingthesecondaryprocessingdebate
GDPRArt5(1)(b)• generally,researchandothersecondaryprocessingneedtheirownlawfulprocessingbasis• personaldatamustbecollectedfor[primary] specified,explicitandlegitimatepurposes• nottobefurther[secondarily]processedincompatiblywiththoseprimarypurposes;
• butMemberStatescanalterthatbysettingoutappropriatesafeguardsunderArt89(1)• furtherprocessingfor‘archivingpurposesinthepublicinterest,scientificorhistoricalresearchpurposesorstatisticalpurposes’‘subjecttoappropriatesafeguards’isOK;• datacontrollerscoulddoresearchwithoutfurtherconsentwhereMemberStateshadsetout‘appropriatesafeguards’
DeepMind/RoyalFree– aliveexamplefromtheUK
• Jan2014:GoogleacquiresLondon-basedAIdeveloperDeepMindTechnologies
• Sept2015:• RoyalFreeisdeveloping‘Streams’,akidneyinjurydetection,diagnosis&preventionapp• InformationSharingAgreement(ISA)signedforDeepMindtoprocesspersonaldataof1.6mRoyalFreepatientsforclinicalsafetytestingof‘Streams’• PDissentnotsubjecttopseudonymisationasRoyalFreesbelievethedataisbeingprocessedwith‘impliedpatientconsent’forthepurposeof‘directpatientcare’
DeepMind/RoyalFree– aliveexamplefromtheUK
• Nov2015:datastreamingstarts
• April2016:Sept2015ISAobtainedviaFOIrequestandpublished
• May2016:ICOopensinvestigation
• Feb2017:Streamsmobileappgoeslive
• July2017:ICOpublishesfindingsandtheundertakingsitisseekingfromRoyalFree
DeepMind/RoyalFree– ICO’s3July2017decision
• Principle1:fairandlawfulprocessingØ TheprocessingofpatientrecordsbyDeepMindsignificantlydiffersfromwhatdatasubjectsmightreasonablyhaveexpectedtohappentotheirdatawhenpresentingattheRoyalFreefortreatment.”
Ø Thesecondaryprocessingdidnotconstitute‘directpatientcare’
Ø Therewasnoimpliedconsent,andDeepMind’sprocessingwasinbreachofthedutyofconfidencethatRoyalFreeoweditspatients
• Principle3:adequate,relevantandnotexcessiveØ itwasnot“necessaryandproportionatetoprocess1.6mpatientrecordstotesttheapp’sclinicalsafety.”
DeepMind/RoyalFree– ICO’s3July2017decision
• Principle6: compliancewithdatasubjects’rightsØ “ifpatientsdidnotknowthattheirinformationwouldbeusedinthiswaytheycouldnottakestepstoobject”
• Principle7– appropriatetechnicalandorganisationalmeasuresØAgreement“didnotcontainenoughdetailtoensurethatonlytheminimalpossibledatawouldbeaccessibletoDeepMind.”
Ø “…processingofsuchalargevolumeofrecordscontainingsensitivehealthdatawasnotsubjecttoafullprivacyimpactassessmentaheadoftheproject”
“RoyalFreesharedthedataonthebasisof‘impliedconsentfordirectcare’.Icametotheviewthattheyhadnotusedanappropriatelegalbasisfordatasharing.Thislegalbasiscannotbeusedtodeveloportestnewtechnology,eveniftheintendedendresultistousethattechnologytoprovidecare.”
Wecanearnpublicsupportfortheuseofdataininnovation,by“adheringtoexplicitandtransparentprinciplesofgoodpractice”to“reassurepatientsandthosetreatingthemthatconfidentialityissafeguarded”.Thepublicrightlyexpectsnothingless.”
DeepMind- theUKNationalDataGuardian’sview
• wherethegovernmentisthemainpayer– liketheUKfortheNHS- whyshouldn’titbeallowedtouseaggregatedpatientdatatoimprovecareforothers?
• whowouldn’twanttoseeprimarycareproviderswithatooltoidentifypatientsatriskofkidneydamage?
• anyAItool(inanyindustry)implieshugeamountsofdatatotrainthemachinelearningmodel/algorithm
DeepMindcasepointsuppolicyaimsintension
• whatusecanthecareproviderasdatacontrollermakeofthedataunderGDPR?• ispatientconsentalwaysneeded?• whenisitnotneeded?• whenobtained,whatuseisconsentedto/permitted?
• who(includingcommercialentities)canuse/derivebenefitfromthatdata?• specialistcommercialentitiescandothisbetterthanthecareprovider• IntheUSA,AIprovidersareworkingwithcareproviderstobuildalgorithmsbasedonlargepatientrecordsdatasets
• howdowerebuildtrustinAI-basedhealthcareresearchintheUK?
DeepMindcasepointsuppolicyaimsintension
wayforward(1):RoyalFreeundertakingscompliance
RoyalFreehasagreedtogivefiveundertakingsrequestedbyICO:[1] within2months,tocarryoutaPIAwithin1monthofthePIAtoshowhow[2] the‘fair&lawfulprocessing’and[3] theSchedule3sensitiveinformationprocessingrequirementsaremet,and[4] itwillcomplywithitsdutyofconfidencetopatients[5] within3monthsoftheundertakingtocommissionacomplianceaudit
RoyalFreewebsite:“Wehavesigneduptodeliverallofandhavestartedworkingontheundertakings– includingdeliveringathirdprivacyimpactassessmentofourworkwithDeepMind,continuingtobeopenandtransparentabouthowweusepatientinformationandconductingathirdpartyauditofourcurrentprocessingarrangementswithDeepMind.”• watchthisspace
wayforward(2):ICOpaperof04.09.17
• v1.0‘BigDataandDataProtection’paperpublishedin2014• v2.0publishedApril2017• v2.2publishedon4September2017
sixkeyrecommendations:1.doesthebigdataanalyticsneedpersonaldatatobeprocessed?2.providemeaningfulicons,notificationsandprivacynotices3. embedaPIAframeworkintobigdataprocessingactivities4. implementaprivacybydesignapproach5.developethicalprinciplestoreinforcedataprotectionprinciples6.developauditablemachinelearningalgorithms
wayforward(3):Art89(1)&whatMemberStatescando
IntheUK,theWellcomeTrusthasdonesignificantworkinthisarea
• “MemberStatesshouldensuretheirlegalframeworkissufficienttoimplementArticle89andfacilitatescientificresearch”• “Passingspecificlegislationislikelytoprovidetheclearestandmostcertainframeworkforresearchers”• “WeencourageMemberStatestoworktogethertopromotecompatibilitybetweennationalapproacheswherepossibletofacilitatecross-borderresearch”
(WellcomeTrustDataProtectionRegulationSite)
