The Office of the Australian Information Commissioner has closed our preliminary inquiries with diagnostic imaging network I-MED Radiology Network Limited (I-MED), Harrison.ai and Annalise.ai.
Our inquiries followed media reports in September 2024 relating to I-MED’s disclosure of medical imaging scans to Annalise.ai, a former joint venture between I-MED and Harrison.ai, a healthcare artificial intelligence company.
Between 2020 and 2022, I-MED provided Annalise.ai with patient data for the purpose of developing and training an artificial intelligence model to enhance diagnostic imaging support services.
The OAIC made inquiries with I-MED, Annalise.ai, and Harrison.ai for the purpose of determining if the Privacy Commissioner should open an investigation under the Act. This included considering whether the allegations suggested a contravention of the Australian Privacy Principles (APPs).
The inquiries focussed on the form and content of the patient data that I-MED provided to Annalise.ai, the process of the data flow, and the steps taken to de-identify the data. Personal information is de-identified if the information is no longer about an identifiable individual or an individual who is reasonably identifiable.
Prior to sharing the patient data with Annalise.ai, I-MED processed the data using a number of techniques. It also imposed contractual obligations on Annalise.ai, and developed a Data De-identification Policy and Approach to guide the sharing of patient data.
Based on the information obtained through the preliminary inquiries, the Commissioner was satisfied that the patient data shared with Annalise.ai had been de-identified sufficiently that it was no longer personal information for the purposes of the Privacy Act. The Commissioner therefore ceased the inquiries, and will not be pursuing regulatory action at this time.
While a number of uses of AI are low-risk, developing an AI model is a high privacy risk activity when it relies on large quantities of personal information. This is a source of significant community concern.
The OAIC’s Report into preliminary inquiries of I-MED provides more information on the OAIC’s inquiries and their conclusion. The report is published in the public interest, to inform the community of their outcome, and provides a beneficial example of good privacy practices and how the use of de-identified data may still allow an entity covered by the Privacy Act 1988 (APP entity) to effectively carry out its functions and activities, including with the adoption of new and innovative data-driven technologies.
For more information on the use of AI, see the OAIC’s Guidance on developing and training generative AI models and Guidance on privacy and the use of commercially available AI products
Note: The OAIC did not open an investigation into I-MED or compel the production of documents. We have undertaken preliminary enquiries to ascertain whether there may be an interference with the privacy an individual or a breach of APP 1 warranting an investigation. While on this occasion we have concluded that there is not, this case study should not be taken as an endorsement of I-MED’s acts or practices or an assurance of their broader compliance with the APPs.
