Menu
Don't upload health care data to Google cloud, UK groups say

Don't upload health care data to Google cloud, UK groups say

Such sensitive data should never be uploaded to a provider outside the jurisdiction of the U.K, the groups said

Using Google's cloud services to process health care records is a serious violation of the U.K.'s data protection act, privacy groups said in a complaint filed with the country's data protection authority.

U.K. privacy groups medConfidential, Big Brother Watch and the Foundation for Information Policy Research filed the complaint with the Information Commissioner's Office (ICO) on Thursday, following recent disclosures that the firm PA Consulting had obtained medical data and uploaded it to Google's cloud for analysis.

In 2011, the predecessor to the U.K's Health & Social Care Information Centre (HSCIC) entered into an agreement to share the Hospital Episodes Statistics (HES) patient database with PA Consulting, according to the information center.

Hospital Episode Statistics processes over 125 million admitted patient, outpatient and accident and emergency records each year, according to the information center.

Each HES record generally contains a broad range of information about individual patients, such as age group, gender and ethnicity, diagnostic and treatment codes, and information about where the patient was treated and lives. By default HES data also contain the patient's postcode and date of birth, which in combination are enough to personally identify about 98 percent of patients, the groups said in the complaint.

The data was pseudonymized and used in an analytics project, PA Consulting said in a news release.

However, to analyze the vast trove of patient data, PA Consulting uploaded the data to Google and processed it via Google's analytics service BigQuery, a cloud service that allows interactive analysis of large data sets. That never should have happened, the groups said in their complaint.

"We do not believe that population-scale data sets of patient data should be uploaded to any cloud provider unless certain rigorous conditions have been met," said Phil Booth, coordinator of medConfidential, via email Friday.

"Such sensitive data should never be uploaded to a provider outside the jurisdiction of the U.K. and EU Data Protection authorities and EU human rights framework. If such an action isn't unlawful, it should be," he added.

According to PA Consulting, the dataset does not contain information that can be linked to specific individuals and is held securely in the cloud in accordance with conditions specified and approved by HSCIC. Access to the dataset is also tightly controlled and restricted to a project team of up to 12 people, they said.

The privacy groups, however, dispute that claim. "Even if the HES dataset stored in Google's cloud services does not contain a patient's name or NHS number, the data there may be easy to link to a specific individual and hence will often constitute sensitive personal data," they said.

The ICO should therefore investigate the potential breaches of U.K. laws and regulations resulting from the uploading of patient data to Google's cloud services, the groups said.

The ICO did not immediately reply to a request for comment.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags securityprivacy

Featured

Slideshows

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Examining the changing job scene in the Kiwi channel

Examining the changing job scene in the Kiwi channel

Typically, the New Year brings new opportunities for personnel within the Kiwi channel. 2017 started no differently, with a host of appointments, departures and reshuffles across vendor, distributor and reseller businesses. As a result, the job scene across New Zealand has changed - here’s a run down of who is working where in the year ahead…

Examining the changing job scene in the Kiwi channel
​What are the top 10 tech trends for New Zealand in 2017?

​What are the top 10 tech trends for New Zealand in 2017?

Digital Transformation (DX) has been a critical topic for business over the last few years and IDC is now predicting a step change as DX reaches macroeconomic levels. By 2020 a DX economy will emerge and it will become the core of what New Zealand industries focus on. From the board level through to the C-Suite, Kiwi organisations must be prepared to think and act digital when the DX economy emerges in 2017.

​What are the top 10 tech trends for New Zealand in 2017?
Show Comments