Using Google’s cloud services to process health care records is a serious violation of the U.K.’s data protection act, privacy groups said in a complaint filed with the country’s data protection authority.
U.K. privacy groups medConfidential, Big Brother Watch and the Foundation for Information Policy Research filed the complaint with the Information Commissioner’s Office (ICO) on Thursday, following recent disclosures that the firm PA Consulting had obtained medical data and uploaded it to Google’s cloud for analysis.
In 2011, the predecessor to the U.K’s Health & Social Care Information Centre (HSCIC) entered into an agreement to share the Hospital Episodes Statistics (HES) patient database with PA Consulting, according to the information center.
Hospital Episode Statistics processes over 125 million admitted patient, outpatient and accident and emergency records each year, according to the information center.
Each HES record generally contains a broad range of information about individual patients, such as age group, gender and ethnicity, diagnostic and treatment codes, and information about where the patient was treated and lives. By default HES data also contain the patient’s postcode and date of birth, which in combination are enough to personally identify about 98 percent of patients, the groups said in the complaint.
The data was pseudonymized and used in an analytics project, PA Consulting said in a news release.
However, to analyze the vast trove of patient data, PA Consulting uploaded the data to Google and processed it via Google’s analytics service BigQuery, a cloud service that allows interactive analysis of large data sets. That never should have happened, the groups said in their complaint.
“We do not believe that population-scale data sets of patient data should be uploaded to any cloud provider unless certain rigorous conditions have been met,” said Phil Booth, coordinator of medConfidential, via email Friday.
“Such sensitive data should never be uploaded to a provider outside the jurisdiction of the U.K. and EU Data Protection authorities and EU human rights framework. If such an action isn’t unlawful, it should be,” he added.
According to PA Consulting, the dataset does not contain information that can be linked to specific individuals and is held securely in the cloud in accordance with conditions specified and approved by HSCIC. Access to the dataset is also tightly controlled and restricted to a project team of up to 12 people, they said.
The privacy groups, however, dispute that claim. “Even if the HES dataset stored in Google’s cloud services does not contain a patient’s name or NHS number, the data there may be easy to link to a specific individual and hence will often constitute sensitive personal data,” they said.
The ICO should therefore investigate the potential breaches of U.K. laws and regulations resulting from the uploading of patient data to Google’s cloud services, the groups said.
The ICO did not immediately reply to a request for comment.