The Office of the Australian Information Commissioner (OAIC) has concluded its preliminary inquiries concerning I-MED Radiology Network Limited (I-MED), Harrison.AI, and Annalise.ai. The inquiries were initiated following media reports in September 2024 regarding I-MED’s sharing of medical imaging scans with Annalise.ai, previously a joint venture between I-MED and the healthcare AI company Harrison.ai.
Between 2020 and 2022, I-MED provided Annalise.ai with patient data to develop and train an artificial intelligence model aimed at improving diagnostic imaging support services. The OAIC conducted a detailed inquiry involving all three entities to determine if an investigation under the privacy Act was warranted, particularly regarding any potential breaches of the Australian Privacy Principles (APPs).
Key areas of focus included the nature and extent of the patient data shared, the data flow process, and the mechanisms employed to de-identify the data. Notably, personal information is considered de-identified when it cannot be related to an identifiable individual or someone who can be reasonably identified.
Before sharing the data, I-MED implemented various de-identification techniques and established contractual obligations for Annalise.ai. Additionally, a Data De-identification Policy and Approach was developed to direct the sharing of patient data.
After reviewing the information gathered, the Commissioner concluded that the patient data shared with Annalise.ai had been adequately de-identified to the extent that it no longer qualified as personal information under the Privacy Act. As a result, the OAIC has ceased its inquiries and will not pursue regulatory action at this time.
While some uses of AI are considered low-risk, the development of AI models poses a higher risk to privacy, particularly when large amounts of personal information are involved. This represents a significant concern among the community.
The OAIC’s report on the preliminary inquiries is available for public examination and aims to inform the community of the conclusions reached. It also serves as an example of effective privacy practices and illustrates how de-identifying data can enable organisations under the Privacy Act 1988 to carry out their functions, even when integrating innovative, data-driven technologies.
For guidance on the use of AI, the OAIC directs interested parties to its resources on developing and training generative AI models as well as the privacy implications of using commercially available AI products.
It is important to note that the OAIC did not initiate a formal investigation into I-MED or require any documents to be produced. The preliminary inquiries were aimed solely at determining whether there was a breach of privacy or APP 1 that would necessitate further investigation. While the outcome indicates no current issues, it should not be interpreted as an endorsement of I-MED’s practices or a guarantee of their overall compliance with the APPs.
