Google's DeepMind AI subsidiary had been given access to millions of patient records in the UK's medical system in a deal not so long ago, and a new academic study is calling that deal "flawed", saying that the agreement leaves too many opportunities open for DeepMind to mishandle patient data. The academic report, published by Julia Powles and Hal Hadison, goes as far as saying that DeepMind not only had the opportunity to mishandle patient data, but actually did so. DeepMind and NHS Royal Free, for their part, insist that the academic paper misrepresents their agreement, especially in how patient data is used and secured.
According to Powles and Hadison, data that goes into Google's servers is essentially no longer able to be tracked and controlled by not only patients, but the proper authorities within the UK. They go on to state that DeepMind's intentions within the health data space seem to be a good bit grander than they conveyed to the general public in statements and at the start of the deal. The paper also says that DeepMind has "considerable discretion" in how the data is used by virtue of their authority to construct the data tools that will handle and organize the data. They also state that the contractual agreement between DeepMind and NHS Royal Free does not meet the minimum standards for such relationships that has been set forth in applicable UK law. The report alleges that there are serious holes in the agreement in the areas of transparency and corporate responsibility in case of errors or misdeeds as well.
The agreement between DeepMind and NHS Royal Free essentially states that DeepMind can use patient data to construct data-based medical case management solutions, patient portals, and the like. One example of such is the Streams app, which DeepMind constructed from the patient data of roughly 1.6 million UK patients within the NHS Royal Free system. In the agreement, Royal Free is named as the data controller, while DeepMind is named as the data processor. This means that NHS Royal Free retains all rights pertaining to the data, makes decisions regarding its handling, and can pull the plug on any usage it deems out of line or potentially dangerous.