Privacy groups the Foundation for Information Policy Research, Big Brother Watch and medConfidential made the request after identifying concerns about whether individual patients' privacy rights had been appropriately observed (7-page / 112KB PDF).
The groups' complaint relates to an agreement the former NHS Information Centre (NHSIC) in England put in place with PA Consulting which enabled the consultancy business to gain access to pseudonymised patient data recorded in hospitals. The NHSIC has since been replaced by a new Health and Social Care Information Centre (HSCIC).
PA Consulting sought to analyse the data, which it has claimed "does not contain information that can be linked to specific individuals". The company used a cloud-based product called 'Google BigQuery' to help it do so, but the privacy groups said that the data PA Consulting uploaded to Google servers was personal data and has questioned whether the consultancy or NHSIC obtained the necessary assurances from Google regarding the privacy of the information stored.
"Even if the Hospital Episode Statistics (HES) dataset stored in Google’s cloud services does not contain a patient’s name or NHS number, the data there may be easy to link to a specific individual and hence will often constitute sensitive personal data," the privacy groups said in their complaint to the ICO.
"We request that you investigate the potential breaches of UK laws and regulations resulting from the uploading of patient data to Google’s cloud services. This relates not just to the Data Protection Act 1998 directly, but to the relevant NHS regulations and the relevant human--‐rights law (including I v Finland) as these all set the reasonable expectations that patients had when they supplied their information to the NHS, and thus are fundamental for fair processing," they said.
The groups said that there are "heavy restrictions" on the transfer of NHS patient data outside of the UK and questioned whether the proper procedures were followed for ensuring that transfer was legitimate. Among the procedures that have to be followed in most cases is the notification of individuals about the transfer of their personal data overseas, they said.
Whilst a range of rules and regulations also apply to NHS patient data, EU data protection laws on their place restrictions on the transfer of personal data by organisations to locations outside of the European Economic Area (EEA).
A number of countries have been designated as providing adequate protection for personal data transferred from the EU, however in other cases organisations are obliged to make sure themselves that there is adequate protection for that data. A number of legal mechanisms, including model contract clauses, have been created to assist organisations in meeting their obligations to adequacy.
However, data protection rules only apply where the information at issue is considered to be personal data. Both PA Consulting and the HSCIC have claimed that the information uploaded to Google's cloud servers was pseudonymised. The term refers to cases where false attributes have been given to sets of data to mask the identity of the person to whom the data relates. In addition, other safeguards to privacy were also in place, the consultancy and HSCIC have said
"The agreement [on data sharing between NHSIC and PA Consulting] obliged PA Consulting to abide by conditions to protect the confidentiality of the data, including restricting the data to a named list of individuals, a prohibition on sharing any information with risk of identifying individuals and a requirement to destroy the data after the agreement end date," the HSCIC said.
"PA Consulting used a product called Google BigQuery to manipulate the datasets provided and the NHS IC was aware of this. The NHS IC had written confirmation from PA Consulting prior to the agreement being signed that no Google staff would be able to access the data; access continued to be restricted to the individuals named in the data sharing agreement," it added.
PA Consulting added: "The dataset does not contain information that can be linked to specific individuals and is held securely in the cloud in accordance with conditions specified and approved by HSCIC. Access to the dataset is tightly controlled and restricted to the small PA project team."
"The data set does not contain patient name, address, NHS number or Date of Birth. In addition we have followed all the conditions specified by the NHS such as the small numbers rule and giving access to the underlying data to others. We applied for access for up to 12 people, but in practice only four people have regularly accessed the information," it said.
The privacy of patient data has been a topic of major discussion in the UK recently after the government postponed plans for its 'care.data' scheme. The initiative, now scheduled to commence in October, will see GP-held medical records of patients uploaded to a new database and will be made available for use by third parties under certain circumstances.