A Conservative MP has expressed concern as to who gave permission for NHS patient data to be uploaded to Google cloud services for analysis. Simultaneously, privacy watchdogs have made fresh calls for UK medical data to be better protected from commercial entities.
Tory backbencher Sarah Wollaston tweeted; "So HES [hospital episode statistics] data uploaded to 'Google's immense army of servers', who consented to that?!".
According to a document published by NHS contractor PA Consulting, the firm made use of Google's BigQuery analytics tool in order to quickly process medical data "in seconds", many times faster than the "several hours" it took on their own internal servers using a Microsoft SQL database.
A statement from the NHS Health and Social Care Information Centre (HSCIC) said it was fully aware of PA Consulting's practices. "PA Consulting used a product called Google BigQuery to manipulate the datasets provided and the NHS IC [HSCIC] was aware of this. The NHS IC had written confirmation from PA Consulting prior to the agreement being signed that no Google staff would be able to access the data; access continued to be restricted to the individuals named in the data sharing agreement."
PA Consulting said in a statement that no personal information had been included, and no data could be linked to specific individuals. "Access to the dataset is tightly controlled and restricted to the small PA project team. Our approach protects patient confidentiality and allows insights to be derived at significantly lower cost - and 100 times faster - than any traditional approach," it said.
It is unclear where the data being analysed ended up, with some speculating that it was in the US and others merely saying it was outside of the UK. The distinction between the data being in the US or the EU is significant, as data protection laws in Europe are stricter than those in the US.
V3 contacted Google to find out where its BigQuery services operate, but had not received a reply at the time of publishing.
A video fo PA Consulting describing its use of Google BigQuery can be found below.
While, according to HSCIC, such data is supposed to anonymised, patient confidentiality campaign group medConfidential has called on the Information Commissioner's Office (ICO) to reopen a consultation on how medical records are used, now the public is more informed on where their data ends up.
Phil Booth, co-ordinator of medConfidential, said that the ICO should clarify whether its code of practice of anonymising data applies to information as sensitive as personal medical records. In February, the NHS postponed its care.data patient database following concerns about how the data was anonymised and who would end up with it.
He added: "The ICO closed a public consultation on updating the code in light of how it was being used since it was published last year. We call on the Information Commissioner to reopen the consultation, to give the public a chance to comment now people are beginning to get the picture of how their data has been used."