Blogs

UK privacy groups file complaint on medical data in Google Cloud

By EDRi · March 26, 2014

UK privacy groups Big Brother Watch, medConfidential and the EDRi member  Foundation for Information Policy Research have filed a complaint with the Information Commissioner’s Office, the UK’s data protection authority. The complaint follows revelations that PA Consulting Group, a technology and innovation consultancy, uploaded a large quantity of data to Google’s cloud-based Big Data service “BigQuery”.

Whilst the data is supposed to bepseudonymised, it contains a vast quantity of information on individual patients including age, gender, ethnicity, patient addresses and their date of birth, reports PC Advisor. The privacy groups argue in their complaint that there is enough data to personally identify around 98 percent of patients.

Coordinator of medConfidential Philip Booth stated: “We do not believe that population-scale data sets of patient data should be uploaded to any cloud provider unless certain rigorous conditions have been met. Such sensitive data should never be uploaded to a provider outside the jurisdiction of the U.K. and EU Data Protection authorities and EU human rights framework. If such an action isn’t unlawful, it should be”.

PA Consulting claim that the data does not contain personally identifying information and that access is limited to a team of twelve people.

Responding to PA’s press statement, the complaint argues: “it is quite unclear how that statement could be correct. Even if the HES dataset stored in Google’s cloud services does not contain a patient’s name or NHS number, the data there may be easy to link to a specific individual and hence will often constitute sensitive personal data.”

Don’t upload health care data to Google cloud, UK groups say (14.03.2014)
http://www.pcadvisor.co.uk/news/security/3506818/dont-upload-health-care-data-to-google-cloud-uk-groups-say/#ixzz2wtTYFRgc

Complaint: NHS Data Storage in the Google Cloud (13.03.2014)
http://www.cl.cam.ac.uk/~rja14/Papers/ICO-PA-FIPR-complaint.pdf

Health privacy: complaint to ICO (14.03.2014)
http://www.lightbluetouchpaper.org/2014/03/14/health-privacy-complaint-to-ico/

Statement: Use of data by PA consulting (03.03.2014)
http://www.hscic.gov.uk/article/3948/Statement-Use-of-data-by-PA-consulting

(Contribution by Andrew Walsh – EDRi intern)