13 th March2014 ChristopherGraham, InformationCommissioner, WycliffeHouse,WaterLane, WILMSLOW,CheshireSK95AF DearChris, Complaint:NHSDataStorageintheGoogleCloud WearewritingaboutrecentdisclosuresoftheuseofNHSdatabyPAconsultingandwerequest thatyourofficeinvestigateapparentlyseriousbreachesofthedataprotectionact1998. Background Aspartofadataanalyticsproject,theNHSInformationCentre(NHSIC) apredecessorofthe Health&SocialCareInformationCentre(HSCIC) enteredintoanagreementtosharehospital EpisodeStatistics(HES)datawithPAConsultingGroup(PA)inNovember2011.Thedata sharingagreementallegedlyimposesanumberofrestrictionsonpa suseofthehesdata, includingalimitationonthenumberofpeoplethatcanaccessthedata,arestrictiononsharing thedatawiththirdparties,andanobligationtoerasethedatafollowingtheterminationofthe agreement. AccordingtoanHSCICpressstatement,theshareddatasetsinclude pseudonymised HESon allnhsinpatienttreatments,outpatientappointmentsanda&eattendancesinengland. 1 Each HESrecordgenerallycontainsabroadrangeofinformationaboutindividualNHSpatients,such asagegroup,genderandethnicity,diagnosticandtreatmentcodes,andinformationaboutthe 1 HSCIC%Statement:%Use%of%data%by%PA%consulting,3March2014,availableat: http://www.hscic.gov.uk/article/3948/statement_use_of_data_by_pa_consulting. 2 See,HSCIC,What%HES%data%are%available?,availableat:http://www.hscic.gov.uk/hesdata. 1
locationwherethepatientwastreatedandwherehe/shelives. 2 BydefaultHESdatacontain thepatient spostcodeanddateofbirth,whichincombinationareenoughtore_identifyabout 98%ofpatients;itisunclearwhetherthesedatawereredactedinthiscase.Evenwithoutthese data,longitudinalmedicalrecordsareoftenveryeasytore_identify. InordertoanalyseandmanipulatetheHESdata,PAdecidedtousethird_partytoolssupplied bygoogle.specifically,pauploadedthehesdatatogooglestorage,andprocesseditviaa Googleanalyticsservice,GoogleBigQuery.(GoogleBigQueryisacloudservicethatallows interactiveanalysisoflargedatasets.)whilelittleisknownabouttheagreementbetweenpa andgoogle,padidprovidenhsicwithawrittenconfirmationthatnogooglestaffwouldgain accesstothehesdataandthat accesscontinuedtoberestrictedtotheindividualsnamedin thedatasharingagreement. 3 NeitherPAnorHSCIChaveprovidedanyinformationaboutthe assurances,ifany,theyreceivedfromgoogle.itisdifficulttoseehowpacouldexcludethe possibilitythatgoogleengineersmightaccessthedata,whetheroftheirownvolitionor pursuanttoalawfulaccessrequestfromausgovernmentagency,andthisraisesthequestion ofwhetherpa sconfirmationwasanythingmorethanjustwishfulthinkingoradesperate attemptatblameavoidance. Whenthedetailsofthisdata_sharingarrangementbecamepublic,stakeholderswerehighly concerned.mpsarahwollaston,whositsonthehealthselectcommittee,tweeted:"sohes datauploadedto'google'simmensearmyofservers',whoconsentedtothat@hscic?" 4.This concernisunsurprisinggivengoogle srecordonprivacy;inrecentyears,googlewasfoundto havebreachedeudataprotectionlawbytheeu sarticle29workingparty,aswellasby regulatorsinanumberofmemberstates. Issues InrespectofthoseHESrecordsthatqualifyaspersonalhealthinformation,arangeofcomplex legalandprofessionalobligationsrestrictorprohibittheuseanddisclosureofsuchdata, includingtheukdataprotectionact1998,thecommon_lawdutyofconfidence,thehuman 2 See,HSCIC,What%HES%data%are%available?,availableat:http://www.hscic.gov.uk/hesdata. 3 HSCIC%Statement,%supran.1. 4 https://twitter.com/drwollastonmp/status/440275592655949824. ComplainttoICOregardinguseofNHSdata 2
RightsAct1998,theNHSConfidentialityCodeofPractice,andtheInformationSecurityNHS CodeofPractice. 5 AlthoughPA spressstatementclaimsthattheshareddatasetdoesnotcontainanyinformation thatcouldbelinkedaspecificindividual, 6 itisquiteunclearhowthatstatementcouldbe correct.evenifthehesdatasetstoredingoogle scloudservicesdoesnotcontainapatient s nameornhsnumber,thedatatheremaybeeasytolinktoaspecificindividualandhencewill oftenconstitutesensitivepersonaldata.arecordofacatheterablationprocedureat HammersmithHospitalonOctober19th2003canbelinkedwithhighprobabilitytoTonyBlair onthebasisofpressreportsofhistreatmentforatrialfibrillation,andifthedatasetpermits episodesrelatingtohimtobelinked,thensensitivepersonalinformationrelatingtohisother treatmentepisodesmaybeveryeasytofind.alargeresearchliteraturegoingbacktothelate 1970sexploresthesubstantialriskthatindividualsmaybere_identifiedfrompseudonymised datasets. 7 ThedatasenttotheGoogleCloudmustthereforebetreatedaspersonaldata,and indeedassensitivepersonaldata,forthepurposesofeuropeanandukdataprotectionlaw evenifpostcodesanddatesofbirthwereinfactremoved.wenotethatneitherhscicnorpa hassofarclaimedthatpostcodeswereremoved. Werequestthatyouconductaninvestigationtodeterminewhetherthepersonalhealth informationofnhspatients,includingthesignatoriestothisletter,wasuploadedtogoogle systems. Ifso,storingandprocessingsuchdatawouldprobablybreachnumerousrulesandregulations. Inparticular: Personalhealthinformationshouldnotbedisclosedtothirdpartiesexceptinvery limitedcircumstances.thedata_sharingagreementbetweennhsicandparestricts thenumberofindividualswhocanhaveaccesstothehesdata;pahasmadeaspecific commitmenttonhsicnottoallowgooglestafftoaccessthedata.yetitisunclearthat theygotadequateassurancesfromgoogle. 5 TheUKDepartmentofHealthhasdevelopedanonlineInformationGovernanceToolkit(IGT)thatconsolidatesall applicablelegalrulesandcentraldohguidanceasasetofinformationgovernance(ig)requirements.theigt enablesnhsorganisationsandthirdpartiesprovidingservicestonhsorganizationstoassesstheircompliance withcurrentlegislation,governmentpolicyandnationalguidance. 6 %PA%Consulting%Group%statement:%use%of%HSCIC%data,3March2014,availableat: http://www.paconsulting.com/introducing_pas_media_site/releases/pa_consulting_group_statement_3_march_ 2014/. 7 It has been clearly established (and has long since been known amongst academics, researchers and practitioners) that such minimal "de-identification" does not prevent data from large databases from being re-identifiable. ComplainttoICOregardinguseofNHSdata 3
ThepurposesforwhichpersonalinformationofNHSpatientscanbeusedarerestricted. Asageneralrule,unlessthereisalegalbasisfortheuseofdataforotherpurposes(e.g., patient sexpressconsent),personalinformationofpatientsmayonlybeusedto providecareservicesandforrelatedpurposes(e.g.,toimprovethequalityofhealthcare managementorservicedelivery).inparticular,theuseofpatienthealthinformationfor commercialpurposes,includingtheprovisionofadvertising,isprohibited.butgoogle s cloud_serviceagreementsallowgoogletoprocesscustomers dataforopen_endedand vaguepurposes,whichleavesopenthepossibilitythatgooglemaybeprocessing personalhealthinformationforitscommercialbenefitandinparticulartooptimisethe provisionofadvertising. Detailedsecuritystandardsapplytotheprocessingandstorageofhealthinformation. Amongotherobligations,theUKDepartmentofHealth(DoH)haspublisheddetailed guidanceonsuitableencryptionalgorithmsfornhspatientdata. 8 Itisunclearthatthe securitymeasuresgoogleappliestoitscloudservicesarecompliant.wereferyouin particulartorecentdisclosuresbyedwardsnowdentotheeffectthatforeign intelligenceagencieswereroutinelyharvestingpersonalinformationofgoogle customersontheunencryptedbackbonelinksbetweenitsdatacentres,andthatgchq didnotinsistonminimisationofpersonalinformationofukcitizenswithin5eyes (unlikethecsewhichinsistedonsuchminimisationforcanadiancitizens). ThetransferofNHSpatients personalinformationoutsidetheukisheavilyrestricted. Inparticular,theDoHguidancemakesclearthatsuchinformationmustnotbe transferredoutsidetheukunlessanappropriateassessmentofriskhasbeen undertakenandappropriatecontrolsimplemented;thetransferisnotifiedtoyour office;thedecisiontotransferthedatahasbeentakenbyaseniormanagerwiththe requiredauthority;anassurancestatementisobtainedfromthirdpartiesthatprocess thedataoverseas;and inmostcases thepatientstowhomthedatarelateshave beennotifiedaboutthetransfer.asgooglehasnodatacentresintheuk,andtakesthe positionthatitscustomers datamaybestoredinanyofitsdatacentres 9,managers contemplatingtheuseofgoogleservicesforpersonalhealthinformationshouldhave properlyfollowedtheprocedureforsendingsuchinformationoverseas. 8 See,NHSInformationGovernance,Guidelines%on%Use%of%Encryption%to%Protect%Person%Identifiable%and%Sensitive% Information,2008,availableat:http://systems.hscic.gov.uk/infogov/security/encryptionguide.pdf 9 See,ITNews,Google:%Who%cares%where%your%data%is?,9June2011,quotingChiefsecurityofficerforGoogleApps, EranFeigenbaum,availableat:http://www.itnews.com.au/News/260041,google_who_cares_where_your_data_ is.aspx. 4 ComplainttoICOregardinguseofNHSdata
Personalhealthinformationmustbedeletedwhenitisnolongerrequiredforaspecific purpose.thiscommitmenthasapparentlybeenrepeatedinthedatasharingagreement betweennhsicandpa,sothatpaissupposedtodeletethehesdataoncethe agreementterminates.butitisunclearthatgoogleissubjecttosimilarrestrictions. Indeed,inthepastGooglehasfailedtoprovidestrongcommitmentstoitscloud customerstodeletedataduringprovisionandafterterminationoftheservice. ThestorageoflargeamountsofsensitivepersonalhealthinformationinaUScloudserviceis particularlyconcerningbecauseoftheprecedentitmayset.googlemayadvertiseamottoof don tbeevil andsomeofusindividuallymaybepreparedtoacceptassurancesfromthem (oneofus Anderson isaformergoogleemployee).howevernotallukdatasubjectswillbe preparedtoacceptsuchassurances noteveryoneusesgmail.furthermore,therearemany otherserviceproviderswitharangeofcorporatecultures.someoverseasserviceprovidersare verymuchlesstrustworthy,andfallcompletelyoutsideyourregulatoryscopeastheyhaveno UKpresence;weareconcernedthatourpersonalhealthinformationwillenduptherenext.Yet thisneednothappen;therearemanyukandeuserviceproviderswhofallcompletelywithin thescopeofthedataprotectiondirective,andwenotethatevenmicrosoftwillnowstore personaldataintheeuifcustomersdemandit. Questions WerequestthatyouinvestigatethepotentialbreachesofUKlawsandregulationsresulting fromtheuploadingofpatientdatatogoogle scloudservices.thisrelatesnotjusttothedata ProtectionAct1998directly,buttotherelevantNHSregulationsandtherelevanthuman_rights law(includingivfinland)astheseallsetthereasonableexpectationsthatpatientshadwhen theysuppliedtheirinformationtothenhs,andthusarefundamentalforfairprocessing. Amongthequestionsthatmustbeasked: PreciselywhichpatientdatawerestoredoutsidetheUK?Didtheyrelatetosingle episodesorlinkedrecords?didtheycontainpostcode,dateofbirth,nhsnumber,ora pseudonymsuchanencryptednhsnumber?thestatementsfrompaandhscicdeny thatanameorfulladdresswasincluded,andpadeniedtherewasafulldateofbirth. Neitherhasdeniedpostcode,oryearofbirth,ortheuseofapseudonymthatwould enableepisoderecordstobelinked.hscicmentions pseudonymised data,which suggestsapseudonym.weaspatientsanddatasubjects(aswellasadvocates)would liketoknowthedetails. ComplainttoICOregardinguseofNHSdata 5
WhatkindofprivacyriskassessmentwascarriedoutbyPAandNHSICpriortodeciding tostore,ortoconsenttothestorageof,thedataingoogle scloudservices? IfdataweretransferredunderSafeHarbor(asonemightexpect),theControllerstill needsanart.17contractgoverningsecurityofprocessing.doesthiscontractexist,and ifso,haveitsadequacyandlawfulnessbeenverified?canweseeit? HowareHESdataprotectedagainstaccessbyunauthorisedparties,includingGoogle engineers?wereanyencryptionmethodsusedtoprotectthedata(otherthanthetls encryptionusedtoprotectthelinkfromtheclienttothegooglefrontend)andwho hasaccesstotheencryptionkeys? WhatassuranceswereobtainedthattheHESdatacouldonlybeusedforhealthcare purposes?inparticular,hasgooglemadeanycommitmentsnottousethedataforits owncommercialpurposes,suchastargetingadvertsoranalytics? AsthedataweretransferredtoserversoutsidetheUK,havetherequirementsunder thedataprotectionact1998andthedohguidancebeencompliedwith? WhatmeasureshavethepartiestakentoensurethattheHESdatacannotbeaccessed byforeigngovernmentagenciesusingtheirlocalpowers,ratherthanhavingtogo throughuklawful_accessprocedures? WereadequatearrangementsmadetoensurethatGoogle sdataprocessingactivities canbeaudited? HasthespecificcommitmenttoerasetheHESdataoncethedatasharingagreement terminatesbeenextendedtogoogle? Weaskyoutoinvestigatetheseissuesasamatterofurgency. ComplainttoICOregardinguseofNHSdata 6
Yourssincerely, RossAnderson Chair, FoundationforInformationPolicyResearch Ross.Anderson@cl.cam.ac.uk PhilBooth Coordinator, medconfidential phil@medconfidential.org NickPickles Director, BigBrotherWatch Nick.Pickles@bigbrotherwatch.org.uk ComplainttoICOregardinguseofNHSdata 7