The conundrum of health data in a world of AI-enhanced diagnosis

An article about the the conundrum of health data in a world of AI-enhanced diagnosis in iToBoS project.

The iToBoS project has been tasked by the European Commission (Grant Agreement ID: 965221) to research and develop novel image-based, AI-enabled tools to aid clinical decision making. iToBoS will develop technologies to support dermascopic imaging, clinical risk assessment and early diagnosis of skin melanoma (skin cancer). The two pillars of research comprise 1) the development of specialised hardware; a total body scanner that incorporates state of the art body imaging cameras and 2) a machine learning algorithm that uses all the available patient data (i.e., phenotype, medical history, imaging, and relevant genotypes). When used together, the tool will help clinicians better stratify individuals at risk of melanoma, identify suspicious lesions more quickly, and improve patient outcomes.

The goal of the project is to increase the efficiency of the diagnosis process, ultimately creating more accurate detection and diagnosis capabilities across Europe, supporting treatment for one of the most aggressive and prevalent forms of cancer, skin cancer. The consortium is led by the University of Girona[1] and comprises partners from across Europe and Australia, including universities, clinical sites (hospitals), multinational corporations, and domain-specific SMEs.

Data protection principles for data-led healthcare provision

Improvements in the early detection and diagnosis of skin cancer is a crucially important social goal. Using technology to increase diagnostic accuracy, reduce detection times, and increase the overall quality of health service provision is a noble goal – one that both the consortium and the European Commission are distinctly focused on achieving.

The iToBoS consortium is developing AI-based algorithms to assist doctors in providing dermatological (skin), oncology (cancer), and pathology (disease) guided health care. The algorithms examine specific data points to provide insights into an individual's overall health profile, with a focus on relevant data such as dermoscopy, physical and demographic attributes (phenotype data), genetic traits (genotype data), health data (e.g., levels of sun exposure), and familial health data (e.g., hereditary instances of cancer). The collection of data points enables the creation of algorithms that can efficiently (and reliably) give clinicians information about 1) the size, type categorization, and progression of recognized skin lesions over time, and 2) the risk profile for a person.

In the medical fields of dermatology, oncology, and pathology, an AI-based decision support tool, developed through the integration of various types of patient data, can provide immense benefit. Most importantly, the tool must remain lawful and respectful of European rights and freedoms. In the context of iToBoS, the basis of lawfulness for the data-driven processes resides primarily within one existing legislative framework – the General Data Protection Regulation (GDPR) – as well as three emerging frameworks – the Artificial Intelligence Act,[2] the Data Act,[3] and the Data Governance Act.[4]

With a disease such as cancer, effective, timely, and accurate treatment saves lives. However, achieving the goal of better health provision should not come at any cost – especially when core European values and rights, such as privacy and data protection (fundamental rights in the EU), are at risk. Rights such as privacy and data protection are foregrounded in the search for effective decision support tools that rely on the aggregation of various types of health data for accurate image analysis and classification, risk assessment, and risk prediction. Finding a fair balance regarding principles such as necessity and proportionality, as well as maintaining compliance while respecting requirements for data minimisation, requires thought and consideration by the iToBoS consortium.  

Necessity is a principle in both the GDPR and EU fundamental rights law. In simple terms, in a data protection context, it provides data controllers with the ability to restrict the right to privacy and data protection of individuals (data subjects) if the processing task is necessary for achieving a specified and legitimate purpose. Within iToBoS, the processing of genetic data, for example, is necessary for the development of an accurate risk assessment and prediction model. The necessity principle forms part of the assessment to determine the legal basis for data processing, specifically within the “legitimate interests” basis for processing (GDPR, Article 6). Moreover, necessity is an important consideration when conducting a Data Protection Impact Assessment (DPIA) (GDPR, Article 35). A DPIA is a legal requirement for controllers where data processing is likely to result in a high risk to the rights and freedoms of data subjects, particularly when using new technologies (such as total body scanners and AI). A DPIA requires the controller to conduct an assessment of necessity once the total body scanner has been approved for clinical use.

Proportionality is closely related to necessity. It requires data controllers to assess the balance between the type of processing being conducted and the purpose of the processing. For example, in iToBoS, the legitimate purpose for processing genetic data (as described above) is to make a more accurate risk assessment for an individual to develop skin melanoma. The processing may be deemed proportionate to the purpose as timely, accurate, and informed cancer risk assessment may allow clinicians to recommend preventative measures or put into place programmes of care that ultimately benefit the patient. In this instance, however, it would not be proportionate to analyse every patient’s full genetic sequence, as it is relatively known and understood that only a limited number of genetic mutations increase the risk of developing a skin cancer.[5],[6]

Further to the principles described above, there is a legal requirement for controllers to respect the principle of data minimisation (GDPR, Article 5). This stipulates that only data that is “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”[7] may be processed. In the context of iToBoS, this would mean that images taken by the total body scanner can be legitimately processed for the purposes of skin melanoma detection, but details about a patient’s financial history (for example) may not – as it has little impact on the matter at hand (skin lesion classification).








[7] Article 5(1)(c), General Data Protection Regulation.