New Scientist has obtained a authorized settlement between Google’s well being division and the UK Nationwide Well being Service (NHS) that features provision to move 5 years’ value of affected person information in bulk as a part of a contract novation course of.
Should you’re feeling a way of deja vu that’s fairly proper: Back in 2016 it emerged — additionally through New Scientist Freedom of Data request — that Alphabet-owned DeepMind, acquired by Google in 2014, had obtained a bulk affected person information injection from a London NHS Belief.
The revelation that huge numbers of NHS sufferers data (round 1.6 million in that case) had quietly been handed to a Google -owned firm led to a prolonged regulatory investigation and, lastly in 2017, a discovering that the Royal Free NHS Belief had breached UK regulation when it handed affected person information to DeepMind for the event of an alerts app known as Streams.
However regardless of the discovering of no authorized foundation for information to be shared through the app’s improvement, DeepMind continued inking agreements with NHS Trusts.
It additionally went on an aggressive PR offensive — holding conferences with sufferers, publishing its contracts with NHS Trusts (albeit with redactions), and establishing an impartial oversight board to scrutinize its well being division.
These DeepMind-appointed reviewers went on to warn in regards to the danger of the corporate being able to exert excessive monopoly power because of data-access infrastructure it was bundling with the Streams app.
After which last year a bombshell announcement: DeepMind’s well being unit could be folded into Google — as a part of a enterprise reorganization instructed by their shared father or mother, Alphabet. The controversial takeover was accomplished last month. So for DeepMind then learn Google now.
The transfer made DeepMind’s years of protestations through the information governance scandal — when it had claimed repeatedly that affected person information would by no means be shared with Google — completely nugatory. UK residents’ medical data are actually headed instantly for Google’s servers.
Three years on and it’s as if nothing a lot has modified besides the order of names. No matter a regulatory slap-down and pointed guidance from the UK’s Nationwide Knowledge Guardian on using affected person information for app improvement.
Taunton and Somerset NHS Basis Belief — one of many trusts that signed a five-year contract with DeepMind for Streams — has inked a new contract with Google which incorporates the identical provision for “lively” affected person information to be handed in bulk.
This can be a curious backwards twist given the Belief is what’s often called a ‘international digital exemplar’ (GDE), which means it’s obtained further authorities funding to fund digital finest observe in areas reminiscent of data sharing to be able to create a mannequin for digital transformation that different trusts can comply with. Which incorporates, in its case, creating open APIs utilizing a world customary for information interoperability between healthcare methods often called a FHIR (aka: Quick Healthcare Interoperability Assets).
DeepMind, in the meantime, bundled the licensing of an FHIR API into its Streams contracts with Trusts — which means it might personal the underlying supply structure for data-dependent digital providers in addition to the Streams app itself. And the brand new contract Taunton has inked with Google covers the identical floor, with clauses pertaining to the design and improvement of the FHIR API for Streams.
It additionally contains an unredacted part specifying that this FHIR API, now supplied by Google Well being UK, will act because the gateway through which third celebration app makers (initially on iOS) can achieve entry to “related Belief information”.
However with business sections of the contract redacted it’s not clear whether or not Google will cost builders for API entry. After we asked DeepMind’s founder about that point again in 2016 Mustafa Suleyman instructed us he “didn’t know”. (Google didn’t reply to a query now about Streams business phrases.)
Its novated contract with Taunton contains provision for sending 5 years’ value of historic encounter and diagnostic data on sufferers, in addition to the digital affected person report database in bulk.
We requested the Belief why the contract contains provision to move affected person information in bulk now it has its personal FHIR APIs available. A spokesman instructed us it’s as a result of “again in 2016 after we signed the contract we weren’t a GDE so didn’t have entry to FHIR” — including that “we’d have wanted to cancel the contract and renegotiate, whereas now we have novated it like for like”.
But one NHS Belief, Yeovil, selected to not novate its contract from DeepMind to Google — having by no means having rolled out the Streams app. So, in Taunton’s case, it’s not completely clear why it went forward and novated.
Its spokesman confirmed to us it hasn’t rolled out Streams both. Nor does it have any plan to take action right now, he stated.
However a Google spokeswomen instructed us the Belief has an settlement with Google Well being to discover what she couched as future collaborations on methods which cellular instruments might assist its digital priorities.
Taunton’s spokesman urged that if the Belief have been to maneuver ahead with Google on creating digital healthcare apps that made use of the majority affected person information provisions within the novated contract it might search to seek the advice of with sufferers beforehand. However the contract phrases do already present for entry to affected person information.
The spokesman urged the Belief is viewing sustaining a contractual relationship with Google-DeepMind as an “alternative”. Although it’s not clear whether or not it dangers being contractually certain to Google as sole FHIR API supplier for any third celebration digital healthcare apps. Or whether or not it might use its personal FHIR infrastructure to confide in outdoors innovation regardless of having inked this settlement with Google. (We’ve requested the Belief for technical and authorized clarification of that.)
Taunton additionally despatched us this assertion, attributed to David Shannon, its director of strategic improvement:
No affected person information is at present shared between Taunton and Somerset NHS Basis Belief and Deepmind or Google Well being, nor are we utilizing any Google Well being functions. If we have been to work with DeepMind or Google Well being on any digital improvements to assist affected person care sooner or later, the work could be led by clinicians and we might interact overtly and transparently with our sufferers. After we signed the contract with DeepMind in 2016 we didn’t have FHIR infrastructure however we are actually a International Digital Exemplar and would use essentially the most applicable, safe know-how accessible to us.
We contacted the UK’s information safety watchdog, the ICO, for a response to affirmation that the novated contract gives for bulk information to be handed to Google — and a spokesperson pointed us to a press release it issued earlier this month, when it stated: “Though the ICO can’t approve the steps taken to mitigate any further dangers to non-public information because of contractual modifications, now we have been usually up to date on these modifications and have made the organisations conscious of their obligations beneath information safety regulation.”
In July the regulator additionally posted an update on its Royal Free Streams app investigation, writing then:
… forward of the switch of Streams from DeepMind to the brand new Google Well being Unit, the ICO has made it clear to controllers utilizing the Streams service that they might want to have the suitable authorized documentation in place to make sure their processing is consistent with the necessities of the GDPR [General Data Protection Regulation]. Organisations should guarantee themselves and doc how they’ve taken applicable steps to mitigate information safety dangers past contractual obligations and the duty on Google Well being beneath information safety regulation, reminiscent of audits, reviews and different applicable measures.
As we’ve stated, Google’s contract with Taunton is redacted to take away all particulars about business phrases so it’s not clear what phrases are being connected to potential future work on Streams/an FHIR API for third events. Though DeepMind had been providing the Streams bundle free to Trusts for the primary 5 years, with funds solely kicking in if its service assist prices exceeded £15,000 a month. So presumably the phrases stay the identical all through the unique contract time period.
Taunton’s bulk information provisions within the new contract with Google outline “lively” sufferers — which is the one kind of sufferers whose information could be handed, per its acknowledged phrases — as “(1) Sufferers with open elective pathways; (2) Sufferers with emergency admission pathways with unscheduled pending exercise; (3) Sufferers with emergency admissions inside 6 months previous to the purpose of switch (i.e.) earlier than Streams go-live;”.
Sam Smith, coordinator at well being information privateness advocacy group MedConfidential, argues it is a contradictory definition for a one-off add. Or else will entail an enormous quantity of labor for the hospital which he says additionally received’t assist for sufferers who don’t meet the ‘lively sufferers’ definition the day earlier than the export however will the day after.
“These offers present simply how little has modified for one of the crucial controversial NHS information tasks of the final half decade,” he stated in a press release. “Regardless of the cope with the Royal Free being dominated illegal, Trusts have now signed contracts at hand Google 5 years of sufferers’ information from over a dozen hospitals — and received’t even say how a lot they’re being paid.
“If that is the kind of deal that [UK prime minister] Boris Johnson goes to encourage, then it’ll be catastrophic for public belief. Sufferers should know what is occurring to their information, and be capable to see precisely what kind of offers are being accomplished to get it.”
Not like DeepMind, which was on the defensive again foot all through 2016-17 following the Royal Free information governance scandal, Google Well being has not dedicated to publish its contracts with NHS trusts.
Thus far its different contracts with NHS Trusts haven’t been launched into the general public area. Although, presumably, if they’ve all been novated in the identical approach they’ll include equivalent phrases as have been agreed with DeepMind.
Google has additionally disbanded the impartial oversight board that DeepMind had established, claiming it’s not the fitting construction to supervise Google Well being’s international focus. So there’s been a marked discount within the stage of transparency round what’s being accomplished with affected person information as contracts have moved over to the tech large. Which hardly appears to be like good from a affected person belief perspective.
One factor is obvious: Google’s ambitions for its now enlarged well being division embody searching for to use synthetic intelligence to well being information for predictive and diagnostic functions. This was additionally the intent of AI specialist DeepMind, which had early plans to reuse the Royal Free affected person information for coaching AIs, although it claimed to have stepped again from doing so — as soon as it realized further regulatory clearances could be required.
This July, simply previous to handing off its well being division to Google, DeepMind and Google scientists printed a analysis paper during which they detailed a deep studying mannequin for constantly predicting the longer term chance of a affected person creating a life-threatening situation known as acute kidney harm (AKI). The identical situation the Streams app at present makes use of an NHS algorithm to generate alerts for.
DeepMind claimed the AI AKI mannequin helps quicker intervention, describing it as its “greatest healthcare analysis breakthrough thus far”. Nonetheless the mannequin was skilled utilizing U.S. affected person information from the Division of Veteran Affairs that skews overwhelmingly male: 93.6%. So there are main caveats about how the AI mannequin might be safely utilized to different much less skewed, extra various populations.
Google’s contract with Taunton states that affected person information (ought to the corporate truly get any) can solely be used for direct affected person care functions — so not for creating any software program.
Nor, we should presume, for creating any AI fashions. Extra regulatory approvals could be required for such an experimental function which clearly wouldn’t fall beneath a ‘direct affected person care’ umbrella.
On the identical time the contract sketches the clearest image but of what Google has in thoughts with Streams: An app that’s already advanced in scope from a cellular wrapper for NHS algorithmic alerts to a broader activity administration and alerts app served through a Google-owned streaming FHIR API.
In a bit of contract definitions, the “Streams: Job Administration” software program is outlined as “a scientific activity administration and textual content based mostly messaging platform supplied within the type of a cellular software program software”; whereas the “Streams: Cell platform” is outlined as a Class I non-measuring medical gadget supplied within the type of a cellular app that may at present assess the real-time detection of AKI — and “which is extensible usually to (i) affected person security alerts, and (ii) actual time detection and resolution assist to assist remedy and avert scientific deterioration throughout a variety of diagnoses and organ methods, together with any new releases and/or new variations (together with, with out limitation, releases to incorporate the event of performance for very important indicators entry and viewing and different features as set out within the Roadmap) supplied as a part of the Assist Companies”.
Inside these broad parameters there may be clearly scope for Streams to develop into the wrapper for delivering AI-powered alerts and resolution assist to clinicians on the hospital bedside.
Although — within the UK not less than — there’s a query mark over how Google might push AI down its FHIR pipe except it could achieve advance entry to the mandatory population-level information to be able to practice related AI fashions.
In spite of everything, it’s the NHS, not Google, which holds that delicate private data in belief for sufferers.
And as Sir John Bell said , after penning the UK authorities’s assessment of the life sciences sector a few years in the past: “What Google’s doing in [other sectors], we’ve acquired an equal distinctive place within the well being house. A lot of the worth is the info. The worst factor we might do is give it away without spending a dime.”