Menu
Don't upload health care data to Google cloud, UK groups say

Don't upload health care data to Google cloud, UK groups say

Such sensitive data should never be uploaded to a provider outside the jurisdiction of the U.K, the groups said

Using Google's cloud services to process health care records is a serious violation of the U.K.'s data protection act, privacy groups said in a complaint filed with the country's data protection authority.

U.K. privacy groups medConfidential, Big Brother Watch and the Foundation for Information Policy Research filed the complaint with the Information Commissioner's Office (ICO) on Thursday, following recent disclosures that the firm PA Consulting had obtained medical data and uploaded it to Google's cloud for analysis.

In 2011, the predecessor to the U.K's Health & Social Care Information Centre (HSCIC) entered into an agreement to share the Hospital Episodes Statistics (HES) patient database with PA Consulting, according to the information center.

Hospital Episode Statistics processes over 125 million admitted patient, outpatient and accident and emergency records each year, according to the information center.

Each HES record generally contains a broad range of information about individual patients, such as age group, gender and ethnicity, diagnostic and treatment codes, and information about where the patient was treated and lives. By default HES data also contain the patient's postcode and date of birth, which in combination are enough to personally identify about 98 percent of patients, the groups said in the complaint.

The data was pseudonymized and used in an analytics project, PA Consulting said in a news release.

However, to analyze the vast trove of patient data, PA Consulting uploaded the data to Google and processed it via Google's analytics service BigQuery, a cloud service that allows interactive analysis of large data sets. That never should have happened, the groups said in their complaint.

"We do not believe that population-scale data sets of patient data should be uploaded to any cloud provider unless certain rigorous conditions have been met," said Phil Booth, coordinator of medConfidential, via email Friday.

"Such sensitive data should never be uploaded to a provider outside the jurisdiction of the U.K. and EU Data Protection authorities and EU human rights framework. If such an action isn't unlawful, it should be," he added.

According to PA Consulting, the dataset does not contain information that can be linked to specific individuals and is held securely in the cloud in accordance with conditions specified and approved by HSCIC. Access to the dataset is also tightly controlled and restricted to a project team of up to 12 people, they said.

The privacy groups, however, dispute that claim. "Even if the HES dataset stored in Google's cloud services does not contain a patient's name or NHS number, the data there may be easy to link to a specific individual and hence will often constitute sensitive personal data," they said.

The ICO should therefore investigate the potential breaches of U.K. laws and regulations resulting from the uploading of patient data to Google's cloud services, the groups said.

The ICO did not immediately reply to a request for comment.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags privacy

Events

Featured

Slideshows

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

This exclusive Reseller News Exchange event in Auckland explored the challenges facing the partner community on the cloud security frontier, as well as market trends, customer priorities and how the channel can capitalise on the opportunities available. In association with Arrow, Bitdefender, Exclusive Networks, Fortinet and Palo Alto Networks. Photos by Gino Demeer.

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security
Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomed 2019 inductees - Leanne Buer, Ross Jenkins and Terry Dunn - to the fourth running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing face of the IT channel ecosystem in New Zealand and what it means to be a Reseller News Hall of Fame inductee. Photos by Gino Demeer.

Reseller News welcomes industry figures at 2020 Hall of Fame lunch
Show Comments