Don't upload health care data to Google cloud, UK groups say

Such sensitive data should never be uploaded to a provider outside the jurisdiction of the U.K, the groups said

Using Google's cloud services to process health care records is a serious violation of the U.K.'s data protection act, privacy groups said in a complaint filed with the country's data protection authority.

U.K. privacy groups medConfidential, Big Brother Watch and the Foundation for Information Policy Research filed the complaint with the Information Commissioner's Office (ICO) on Thursday, following recent disclosures that the firm PA Consulting had obtained medical data and uploaded it to Google's cloud for analysis.

In 2011, the predecessor to the U.K's Health & Social Care Information Centre (HSCIC) entered into an agreement to share the Hospital Episodes Statistics (HES) patient database with PA Consulting, according to the information center.

Hospital Episode Statistics processes over 125 million admitted patient, outpatient and accident and emergency records each year, according to the information center.

Each HES record generally contains a broad range of information about individual patients, such as age group, gender and ethnicity, diagnostic and treatment codes, and information about where the patient was treated and lives. By default HES data also contain the patient's postcode and date of birth, which in combination are enough to personally identify about 98 percent of patients, the groups said in the complaint.

The data was pseudonymized and used in an analytics project, PA Consulting said in a news release.

However, to analyze the vast trove of patient data, PA Consulting uploaded the data to Google and processed it via Google's analytics service BigQuery, a cloud service that allows interactive analysis of large data sets. That never should have happened, the groups said in their complaint.

"We do not believe that population-scale data sets of patient data should be uploaded to any cloud provider unless certain rigorous conditions have been met," said Phil Booth, coordinator of medConfidential, via email Friday.

"Such sensitive data should never be uploaded to a provider outside the jurisdiction of the U.K. and EU Data Protection authorities and EU human rights framework. If such an action isn't unlawful, it should be," he added.

According to PA Consulting, the dataset does not contain information that can be linked to specific individuals and is held securely in the cloud in accordance with conditions specified and approved by HSCIC. Access to the dataset is also tightly controlled and restricted to a project team of up to 12 people, they said.

The privacy groups, however, dispute that claim. "Even if the HES dataset stored in Google's cloud services does not contain a patient's name or NHS number, the data there may be easy to link to a specific individual and hence will often constitute sensitive personal data," they said.

The ICO should therefore investigate the potential breaches of U.K. laws and regulations resulting from the uploading of patient data to Google's cloud services, the groups said.

The ICO did not immediately reply to a request for comment.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to

Join the CSO newsletter!

Error: Please check your email address.

Tags securityprivacy

More about Brother International (Aust)EUFoundation for Information Policy ResearchGoogleHESICOIDGPA Consulting

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts