The precautionary principle hampers development
Artificial intelligence has significant potential to improve the health sector through increased efficiency in administrative health systems, medical research, clinical decision support and public health activities (2, p. 14). With its 22 partners and approximately 100 researchers, the BigMed project was launched as a national lighthouse project, developing and testing methodology and tools for using artificial intelligence in three clinical areas. Since data-driven decision support requires a significant body of data, we applied for access to pseudo-anonymised data from a large number of patients. The application process turned into a game of snakes-and-ladders, going one step forward then two steps back. In fact, this was a multi-purpose project spanning health research, methodology development, quality assurance and efficiency improvements – or all these at once. Since the Norwegian laws that govern health data are fragmented and have different statutory purposes, our project spanned more than one law.
We were bounced around like a ping pong ball between various authorities with different interpretations of the regulations – between the Norwegian Data Protection Authority, the Regional Committees for Medical and Health Research Ethics (REC), the National Committee for Medical and Health Research Ethics (NEM), Oslo University Hospital's own legal department, the hospital's data protection officer and the hospital's IT security officer as well as the hospital IT provider Sykehuspartner for risk analyses.
We were bounced around like a ping pong ball between various authorities with different interpretations of the regulations
The principle of data minimisation in the General Data Protection Regulation (GDPR) – limiting the amount of personal data collected – makes the use of machine learning and artificial intelligence challenging. Large datasets are needed, but their utility may not be clear at the outset of the research, as the rationale for using artificial intelligence is often to find trends in the data that we are unable to identify with our own eyes. For BigMed, this resulted in us minimising the data to two small datasets just to get started. As a result of this minimisation, we had to exclude most of the clinically useful data in these projects. After three years had passed, there was no time left for the planned research.
The BigMed experience shows that there is considerable confusion about the interpretation of the legislation, particularly when it comes to the GDPR. The precautionary principle in the case of data protection together with a lack of overall understanding of the legislation governing health data makes for unduly complex and bureaucratic processes. It would be interesting to calculate what this costs us in terms of both delays and resource use, not to mention the lost innovation potential from activities that never get off the ground.