Secondary Use of Personal Data ITECHLAW - Kemp IT La … · •v1.0 ‘Big Data and Data...
13
Secondary Use of Personal Data Recent UK Developments Richard Kemp, Kemp IT Law 20 th October 2017 Presentation to ITECHLAW 2017 European Conference, Stockholm
Transcript of Secondary Use of Personal Data ITECHLAW - Kemp IT La … · •v1.0 ‘Big Data and Data...
SecondaryUseofPersonalDataRecentUKDevelopments
RichardKemp,KempITLaw20th October2017
PresentationtoITECHLAW2017EuropeanConference,Stockholm
framingthesecondaryprocessingdebate
GDPRArt5(1)(b)• generally,researchandothersecondaryprocessingneedtheirownlawfulprocessingbasis• personaldatamustbecollectedfor[primary] specified,explicitandlegitimatepurposes• nottobefurther[secondarily]processedincompatiblywiththoseprimarypurposes;
• butMemberStatescanalterthatbysettingoutappropriatesafeguardsunderArt89(1)• furtherprocessingfor‘archivingpurposesinthepublicinterest,scientificorhistoricalresearchpurposesorstatisticalpurposes’‘subjecttoappropriatesafeguards’isOK;• datacontrollerscoulddoresearchwithoutfurtherconsentwhereMemberStateshadsetout‘appropriatesafeguards’
DeepMind/RoyalFree– aliveexamplefromtheUK
• Jan2014:GoogleacquiresLondon-basedAIdeveloperDeepMindTechnologies
• Sept2015:• RoyalFreeisdeveloping‘Streams’,akidneyinjurydetection,diagnosis&preventionapp• InformationSharingAgreement(ISA)signedforDeepMindtoprocesspersonaldataof1.6mRoyalFreepatientsforclinicalsafetytestingof‘Streams’• PDissentnotsubjecttopseudonymisationasRoyalFreesbelievethedataisbeingprocessedwith‘impliedpatientconsent’forthepurposeof‘directpatientcare’
DeepMind/RoyalFree– aliveexamplefromtheUK
• Nov2015:datastreamingstarts
• April2016:Sept2015ISAobtainedviaFOIrequestandpublished
• May2016:ICOopensinvestigation
• Feb2017:Streamsmobileappgoeslive
• July2017:ICOpublishesfindingsandtheundertakingsitisseekingfromRoyalFree
DeepMind/RoyalFree– ICO’s3July2017decision
• Principle1:fairandlawfulprocessingØ TheprocessingofpatientrecordsbyDeepMindsignificantlydiffersfromwhatdatasubjectsmightreasonablyhaveexpectedtohappentotheirdatawhenpresentingattheRoyalFreefortreatment.”
Ø Thesecondaryprocessingdidnotconstitute‘directpatientcare’
Ø Therewasnoimpliedconsent,andDeepMind’sprocessingwasinbreachofthedutyofconfidencethatRoyalFreeoweditspatients
• Principle3:adequate,relevantandnotexcessiveØ itwasnot“necessaryandproportionatetoprocess1.6mpatientrecordstotesttheapp’sclinicalsafety.”
DeepMind/RoyalFree– ICO’s3July2017decision
• Principle6: compliancewithdatasubjects’rightsØ “ifpatientsdidnotknowthattheirinformationwouldbeusedinthiswaytheycouldnottakestepstoobject”
• Principle7– appropriatetechnicalandorganisationalmeasuresØAgreement“didnotcontainenoughdetailtoensurethatonlytheminimalpossibledatawouldbeaccessibletoDeepMind.”
Ø “…processingofsuchalargevolumeofrecordscontainingsensitivehealthdatawasnotsubjecttoafullprivacyimpactassessmentaheadoftheproject”
“RoyalFreesharedthedataonthebasisof‘impliedconsentfordirectcare’.Icametotheviewthattheyhadnotusedanappropriatelegalbasisfordatasharing.Thislegalbasiscannotbeusedtodeveloportestnewtechnology,eveniftheintendedendresultistousethattechnologytoprovidecare.”
Wecanearnpublicsupportfortheuseofdataininnovation,by“adheringtoexplicitandtransparentprinciplesofgoodpractice”to“reassurepatientsandthosetreatingthemthatconfidentialityissafeguarded”.Thepublicrightlyexpectsnothingless.”
DeepMind- theUKNationalDataGuardian’sview
• wherethegovernmentisthemainpayer– liketheUKfortheNHS- whyshouldn’titbeallowedtouseaggregatedpatientdatatoimprovecareforothers?
• whowouldn’twanttoseeprimarycareproviderswithatooltoidentifypatientsatriskofkidneydamage?
• anyAItool(inanyindustry)implieshugeamountsofdatatotrainthemachinelearningmodel/algorithm
DeepMindcasepointsuppolicyaimsintension
• whatusecanthecareproviderasdatacontrollermakeofthedataunderGDPR?• ispatientconsentalwaysneeded?• whenisitnotneeded?• whenobtained,whatuseisconsentedto/permitted?
• who(includingcommercialentities)canuse/derivebenefitfromthatdata?• specialistcommercialentitiescandothisbetterthanthecareprovider• IntheUSA,AIprovidersareworkingwithcareproviderstobuildalgorithmsbasedonlargepatientrecordsdatasets
• howdowerebuildtrustinAI-basedhealthcareresearchintheUK?
DeepMindcasepointsuppolicyaimsintension
wayforward(1):RoyalFreeundertakingscompliance
RoyalFreehasagreedtogivefiveundertakingsrequestedbyICO:[1] within2months,tocarryoutaPIAwithin1monthofthePIAtoshowhow[2] the‘fair&lawfulprocessing’and[3] theSchedule3sensitiveinformationprocessingrequirementsaremet,and[4] itwillcomplywithitsdutyofconfidencetopatients[5] within3monthsoftheundertakingtocommissionacomplianceaudit
RoyalFreewebsite:“Wehavesigneduptodeliverallofandhavestartedworkingontheundertakings– includingdeliveringathirdprivacyimpactassessmentofourworkwithDeepMind,continuingtobeopenandtransparentabouthowweusepatientinformationandconductingathirdpartyauditofourcurrentprocessingarrangementswithDeepMind.”• watchthisspace
wayforward(2):ICOpaperof04.09.17
• v1.0‘BigDataandDataProtection’paperpublishedin2014• v2.0publishedApril2017• v2.2publishedon4September2017
sixkeyrecommendations:1.doesthebigdataanalyticsneedpersonaldatatobeprocessed?2.providemeaningfulicons,notificationsandprivacynotices3. embedaPIAframeworkintobigdataprocessingactivities4. implementaprivacybydesignapproach5.developethicalprinciplestoreinforcedataprotectionprinciples6.developauditablemachinelearningalgorithms
wayforward(3):Art89(1)&whatMemberStatescando
IntheUK,theWellcomeTrusthasdonesignificantworkinthisarea
• “MemberStatesshouldensuretheirlegalframeworkissufficienttoimplementArticle89andfacilitatescientificresearch”• “Passingspecificlegislationislikelytoprovidetheclearestandmostcertainframeworkforresearchers”• “WeencourageMemberStatestoworktogethertopromotecompatibilitybetweennationalapproacheswherepossibletofacilitatecross-borderresearch”
(WellcomeTrustDataProtectionRegulationSite)
