Complaint:!NHS!Data!Storage!in!the!Google!Cloud!

Transcription

1 13 th March2014 ChristopherGraham, InformationCommissioner, WycliffeHouse,WaterLane, WILMSLOW,CheshireSK95AF DearChris, Complaint:NHSDataStorageintheGoogleCloud WearewritingaboutrecentdisclosuresoftheuseofNHSdatabyPAconsultingandwerequest thatyourofficeinvestigateapparentlyseriousbreachesofthedataprotectionact1998. Background Aspartofadataanalyticsproject,theNHSInformationCentre(NHSIC) apredecessorofthe Health&SocialCareInformationCentre(HSCIC) enteredintoanagreementtosharehospital EpisodeStatistics(HES)datawithPAConsultingGroup(PA)inNovember2011.Thedata sharingagreementallegedlyimposesanumberofrestrictionsonpa suseofthehesdata, includingalimitationonthenumberofpeoplethatcanaccessthedata,arestrictiononsharing thedatawiththirdparties,andanobligationtoerasethedatafollowingtheterminationofthe agreement. AccordingtoanHSCICpressstatement,theshareddatasetsinclude pseudonymised HESon allnhsinpatienttreatments,outpatientappointmentsanda&eattendancesinengland. 1 Each HESrecordgenerallycontainsabroadrangeofinformationaboutindividualNHSpatients,such asagegroup,genderandethnicity,diagnosticandtreatmentcodes,andinformationaboutthe 1 HSCIC%Statement:%Use%of%data%by%PA%consulting,3March2014,availableat: 2 See,HSCIC,What%HES%data%are%available?,availableat: 1

2 locationwherethepatientwastreatedandwherehe/shelives. 2 BydefaultHESdatacontain thepatient spostcodeanddateofbirth,whichincombinationareenoughtore_identifyabout 98%ofpatients;itisunclearwhetherthesedatawereredactedinthiscase.Evenwithoutthese data,longitudinalmedicalrecordsareoftenveryeasytore_identify. InordertoanalyseandmanipulatetheHESdata,PAdecidedtousethird_partytoolssupplied bygoogle.specifically,pauploadedthehesdatatogooglestorage,andprocesseditviaa Googleanalyticsservice,GoogleBigQuery.(GoogleBigQueryisacloudservicethatallows interactiveanalysisoflargedatasets.)whilelittleisknownabouttheagreementbetweenpa andgoogle,padidprovidenhsicwithawrittenconfirmationthatnogooglestaffwouldgain accesstothehesdataandthat accesscontinuedtoberestrictedtotheindividualsnamedin thedatasharingagreement. 3 NeitherPAnorHSCIChaveprovidedanyinformationaboutthe assurances,ifany,theyreceivedfromgoogle.itisdifficulttoseehowpacouldexcludethe possibilitythatgoogleengineersmightaccessthedata,whetheroftheirownvolitionor pursuanttoalawfulaccessrequestfromausgovernmentagency,andthisraisesthequestion ofwhetherpa sconfirmationwasanythingmorethanjustwishfulthinkingoradesperate attemptatblameavoidance. Whenthedetailsofthisdata_sharingarrangementbecamepublic,stakeholderswerehighly concerned.mpsarahwollaston,whositsonthehealthselectcommittee,tweeted:"sohes datauploadedto'google'simmensearmyofservers',whoconsentedtothat@hscic?" 4.This concernisunsurprisinggivengoogle srecordonprivacy;inrecentyears,googlewasfoundto havebreachedeudataprotectionlawbytheeu sarticle29workingparty,aswellasby regulatorsinanumberofmemberstates. Issues InrespectofthoseHESrecordsthatqualifyaspersonalhealthinformation,arangeofcomplex legalandprofessionalobligationsrestrictorprohibittheuseanddisclosureofsuchdata, includingtheukdataprotectionact1998,thecommon_lawdutyofconfidence,thehuman 2 See,HSCIC,What%HES%data%are%available?,availableat: 3 HSCIC%Statement,%supran ComplainttoICOregardinguseofNHSdata 2

3 RightsAct1998,theNHSConfidentialityCodeofPractice,andtheInformationSecurityNHS CodeofPractice. 5 AlthoughPA spressstatementclaimsthattheshareddatasetdoesnotcontainanyinformation thatcouldbelinkedaspecificindividual, 6 itisquiteunclearhowthatstatementcouldbe correct.evenifthehesdatasetstoredingoogle scloudservicesdoesnotcontainapatient s nameornhsnumber,thedatatheremaybeeasytolinktoaspecificindividualandhencewill oftenconstitutesensitivepersonaldata.arecordofacatheterablationprocedureat HammersmithHospitalonOctober19th2003canbelinkedwithhighprobabilitytoTonyBlair onthebasisofpressreportsofhistreatmentforatrialfibrillation,andifthedatasetpermits episodesrelatingtohimtobelinked,thensensitivepersonalinformationrelatingtohisother treatmentepisodesmaybeveryeasytofind.alargeresearchliteraturegoingbacktothelate 1970sexploresthesubstantialriskthatindividualsmaybere_identifiedfrompseudonymised datasets. 7 ThedatasenttotheGoogleCloudmustthereforebetreatedaspersonaldata,and indeedassensitivepersonaldata,forthepurposesofeuropeanandukdataprotectionlaw evenifpostcodesanddatesofbirthwereinfactremoved.wenotethatneitherhscicnorpa hassofarclaimedthatpostcodeswereremoved. Werequestthatyouconductaninvestigationtodeterminewhetherthepersonalhealth informationofnhspatients,includingthesignatoriestothisletter,wasuploadedtogoogle systems. Ifso,storingandprocessingsuchdatawouldprobablybreachnumerousrulesandregulations. Inparticular: Personalhealthinformationshouldnotbedisclosedtothirdpartiesexceptinvery limitedcircumstances.thedata_sharingagreementbetweennhsicandparestricts thenumberofindividualswhocanhaveaccesstothehesdata;pahasmadeaspecific commitmenttonhsicnottoallowgooglestafftoaccessthedata.yetitisunclearthat theygotadequateassurancesfromgoogle. 5 TheUKDepartmentofHealthhasdevelopedanonlineInformationGovernanceToolkit(IGT)thatconsolidatesall applicablelegalrulesandcentraldohguidanceasasetofinformationgovernance(ig)requirements.theigt enablesnhsorganisationsandthirdpartiesprovidingservicestonhsorganizationstoassesstheircompliance withcurrentlegislation,governmentpolicyandnationalguidance. 6 %PA%Consulting%Group%statement:%use%of%HSCIC%data,3March2014,availableat: /. 7 It has been clearly established (and has long since been known amongst academics, researchers and practitioners) that such minimal "de-identification" does not prevent data from large databases from being re-identifiable. ComplainttoICOregardinguseofNHSdata 3

4 ThepurposesforwhichpersonalinformationofNHSpatientscanbeusedarerestricted. Asageneralrule,unlessthereisalegalbasisfortheuseofdataforotherpurposes(e.g., patient sexpressconsent),personalinformationofpatientsmayonlybeusedto providecareservicesandforrelatedpurposes(e.g.,toimprovethequalityofhealthcare managementorservicedelivery).inparticular,theuseofpatienthealthinformationfor commercialpurposes,includingtheprovisionofadvertising,isprohibited.butgoogle s cloud_serviceagreementsallowgoogletoprocesscustomers dataforopen_endedand vaguepurposes,whichleavesopenthepossibilitythatgooglemaybeprocessing personalhealthinformationforitscommercialbenefitandinparticulartooptimisethe provisionofadvertising. Detailedsecuritystandardsapplytotheprocessingandstorageofhealthinformation. Amongotherobligations,theUKDepartmentofHealth(DoH)haspublisheddetailed guidanceonsuitableencryptionalgorithmsfornhspatientdata. 8 Itisunclearthatthe securitymeasuresgoogleappliestoitscloudservicesarecompliant.wereferyouin particulartorecentdisclosuresbyedwardsnowdentotheeffectthatforeign intelligenceagencieswereroutinelyharvestingpersonalinformationofgoogle customersontheunencryptedbackbonelinksbetweenitsdatacentres,andthatgchq didnotinsistonminimisationofpersonalinformationofukcitizenswithin5eyes (unlikethecsewhichinsistedonsuchminimisationforcanadiancitizens). ThetransferofNHSpatients personalinformationoutsidetheukisheavilyrestricted. Inparticular,theDoHguidancemakesclearthatsuchinformationmustnotbe transferredoutsidetheukunlessanappropriateassessmentofriskhasbeen undertakenandappropriatecontrolsimplemented;thetransferisnotifiedtoyour office;thedecisiontotransferthedatahasbeentakenbyaseniormanagerwiththe requiredauthority;anassurancestatementisobtainedfromthirdpartiesthatprocess thedataoverseas;and inmostcases thepatientstowhomthedatarelateshave beennotifiedaboutthetransfer.asgooglehasnodatacentresintheuk,andtakesthe positionthatitscustomers datamaybestoredinanyofitsdatacentres 9,managers contemplatingtheuseofgoogleservicesforpersonalhealthinformationshouldhave properlyfollowedtheprocedureforsendingsuchinformationoverseas. 8 See,NHSInformationGovernance,Guidelines%on%Use%of%Encryption%to%Protect%Person%Identifiable%and%Sensitive% Information,2008,availableat: 9 See,ITNews,Google:%Who%cares%where%your%data%is?,9June2011,quotingChiefsecurityofficerforGoogleApps, EranFeigenbaum,availableat: is.aspx. 4 ComplainttoICOregardinguseofNHSdata

5 Personalhealthinformationmustbedeletedwhenitisnolongerrequiredforaspecific purpose.thiscommitmenthasapparentlybeenrepeatedinthedatasharingagreement betweennhsicandpa,sothatpaissupposedtodeletethehesdataoncethe agreementterminates.butitisunclearthatgoogleissubjecttosimilarrestrictions. Indeed,inthepastGooglehasfailedtoprovidestrongcommitmentstoitscloud customerstodeletedataduringprovisionandafterterminationoftheservice. ThestorageoflargeamountsofsensitivepersonalhealthinformationinaUScloudserviceis particularlyconcerningbecauseoftheprecedentitmayset.googlemayadvertiseamottoof don tbeevil andsomeofusindividuallymaybepreparedtoacceptassurancesfromthem (oneofus Anderson isaformergoogleemployee).howevernotallukdatasubjectswillbe preparedtoacceptsuchassurances noteveryoneusesgmail.furthermore,therearemany otherserviceproviderswitharangeofcorporatecultures.someoverseasserviceprovidersare verymuchlesstrustworthy,andfallcompletelyoutsideyourregulatoryscopeastheyhaveno UKpresence;weareconcernedthatourpersonalhealthinformationwillenduptherenext.Yet thisneednothappen;therearemanyukandeuserviceproviderswhofallcompletelywithin thescopeofthedataprotectiondirective,andwenotethatevenmicrosoftwillnowstore personaldataintheeuifcustomersdemandit. Questions WerequestthatyouinvestigatethepotentialbreachesofUKlawsandregulationsresulting fromtheuploadingofpatientdatatogoogle scloudservices.thisrelatesnotjusttothedata ProtectionAct1998directly,buttotherelevantNHSregulationsandtherelevanthuman_rights law(includingivfinland)astheseallsetthereasonableexpectationsthatpatientshadwhen theysuppliedtheirinformationtothenhs,andthusarefundamentalforfairprocessing. Amongthequestionsthatmustbeasked: PreciselywhichpatientdatawerestoredoutsidetheUK?Didtheyrelatetosingle episodesorlinkedrecords?didtheycontainpostcode,dateofbirth,nhsnumber,ora pseudonymsuchanencryptednhsnumber?thestatementsfrompaandhscicdeny thatanameorfulladdresswasincluded,andpadeniedtherewasafulldateofbirth. Neitherhasdeniedpostcode,oryearofbirth,ortheuseofapseudonymthatwould enableepisoderecordstobelinked.hscicmentions pseudonymised data,which suggestsapseudonym.weaspatientsanddatasubjects(aswellasadvocates)would liketoknowthedetails. ComplainttoICOregardinguseofNHSdata 5

6 WhatkindofprivacyriskassessmentwascarriedoutbyPAandNHSICpriortodeciding tostore,ortoconsenttothestorageof,thedataingoogle scloudservices? IfdataweretransferredunderSafeHarbor(asonemightexpect),theControllerstill needsanart.17contractgoverningsecurityofprocessing.doesthiscontractexist,and ifso,haveitsadequacyandlawfulnessbeenverified?canweseeit? HowareHESdataprotectedagainstaccessbyunauthorisedparties,includingGoogle engineers?wereanyencryptionmethodsusedtoprotectthedata(otherthanthetls encryptionusedtoprotectthelinkfromtheclienttothegooglefrontend)andwho hasaccesstotheencryptionkeys? WhatassuranceswereobtainedthattheHESdatacouldonlybeusedforhealthcare purposes?inparticular,hasgooglemadeanycommitmentsnottousethedataforits owncommercialpurposes,suchastargetingadvertsoranalytics? AsthedataweretransferredtoserversoutsidetheUK,havetherequirementsunder thedataprotectionact1998andthedohguidancebeencompliedwith? WhatmeasureshavethepartiestakentoensurethattheHESdatacannotbeaccessed byforeigngovernmentagenciesusingtheirlocalpowers,ratherthanhavingtogo throughuklawful_accessprocedures? WereadequatearrangementsmadetoensurethatGoogle sdataprocessingactivities canbeaudited? HasthespecificcommitmenttoerasetheHESdataoncethedatasharingagreement terminatesbeenextendedtogoogle? Weaskyoutoinvestigatetheseissuesasamatterofurgency. ComplainttoICOregardinguseofNHSdata 6

7 Yourssincerely, RossAnderson Chair, FoundationforInformationPolicyResearch PhilBooth Coordinator, medconfidential NickPickles Director, BigBrotherWatch ComplainttoICOregardinguseofNHSdata 7