By Simon Davies
Several British rights groups have co-authored a complaint to the UK Information Commissioner, alleging that the use of Google cloud services for the processing of health information has created a serious violation of data protection law. The complaint warns that the arrangements leave open the possibility that Google may be processing personal health information for its commercial benefit and, in particular, to optimise the provision of advertising.
The complaint follows recent disclosures that a health contractor, PA Consulting, uploaded the entire national hospital statistics database to Google Storage and processed it via a Google analytics service, Google BigQuery. (BigQuery is a cloud service that allows interactive analysis of large data sets).
By default HES data contain the patient’s postcode and date of birth, which in combination are enough to re-identify about 98% of patients.
By default HES data contain the patient’s postcode and date of birth, which in combination are enough to re-identify about 98% of patients; it is unclear whether these data were redacted in this case. Even without this data, longitudinal medical records are often easy to re-identify.
The complaint was jointly submitted by the Foundation for Information Policy Research, medConfidential and Big Brother Watch, three of Britain’s most active and respected rights organisations. If upheld, the complaint could present a serious embarrassment to the outsourcing of health services and create significant barriers to public sector use of Google’s cloud services in the UK.
Little is known about the agreement between PA and Google and neither organisation has provided any information about the safeguards, if any, that have been put in place to ensure that Google does not access the data.
The comprehensive complaint outlines several alleged violations of law and requests that the Commissioner undertakes an investigation as a matter of urgency.
Has Google made any commitments not to use the data for its own commercial purposes?
The complaint raises concerns about Google’s poor legal compliance record in Europe, noting that several countries had found the company in violation of data protection law. The complainants also criticised Google’s terms of service, which they warned allowed the company to process data for “open ended and vague purposes”.
The complainants are concerned that even the most basic information about the processing is unknown. “What assurances were obtained that the HES data could only be used for healthcare purposes? In particular, has Google made any commitments not to use the data for its own commercial purposes, such as targeting advertising or analytics?”
The complaint also takes aim at Google’s ongoing failure to provide assurances on data retention, noting “… in the past Google has failed to provide strong commitments to its cloud customers to delete data during provision and after termination of the service.”
Similar concerns have been raised by privacy regulators in Norway and Sweden, which have placed severe restrictions on public sector use of Google cloud services.