Complaint:!NHS!Data!Storage!in!the!Google!Cloud!



Similar documents
Complaint: NHS Data Storage in the Google Cloud

Programme Update. Eve Roodhouse Programme Director, care.data

De-identification of Data using Pseudonyms (Pseudonymisation) Policy

A Q&A with the Commissioner: Big Data and Privacy Health Research: Big Data, Health Research Yes! Personal Data No!

Privacy Committee. Privacy and Open Data Guideline. Guideline. Of South Australia. Version 1

NATIONAL HEALTH SERVICE, ENGLAND

37.5 (core office hours are 9:00am 5:30pm Monday to Friday)

Secondary use and de-identification through safe havens. Clive Thomas NIGB Workshop 6 th June 2011

The EDGE 2014 User Conference Information Governance Workshop

Observations on international efforts to develop frameworks to enhance privacy while realising big data s benefits

BOARD PAPER - NHS ENGLAND. Title: Publication of Directions to Health and Social Care Information Centre for the collection of primary care data

How to De-identify Data. Xulei Shirley Liu Department of Biostatistics Vanderbilt University 03/07/2008

Anonymisation Standard for Publishing Health and Social Care Data Specification

Market Research / Audience Measurement

HSCIC Post Audit Review of Data Sharing Activities:

Data Management Strategy

Professional Practice Board. Guidelines on the use of Electronic Health Records

De-Identification of Clinical Data

Health and Social Care Information Centre

Information Governance

Foundation Working Group

UCL Data Safe Haven (IDHS) User Group Town Hall Meeting

Degrees of De-identification of Clinical Research Data

Considering De-Identification? Legacy Data. Kymberly Lee 16-Jul-2015

Global Alliance for Genomics & Health Data Sharing Lexicon

Science Europe Position Statement. On the Proposed European General Data Protection Regulation MAY 2013

GPES Independent Advisory Group Minutes

Privacy Impact Assessment: care.data

Open Data Platform Requirements Workshop 24 th February 2012

The collection, linking and use of data in biomedical research and health care: ethical issues

Council of the European Union Brussels, 15 January 2015 (OR. en) NOTE German delegation Working Party on Information Exchange and Data Protection

ADVISORY GUIDELINES ON THE PERSONAL DATA PROTECTION ACT FOR SELECTED TOPICS ISSUED BY THE PERSONAL DATA PROTECTION COMMISSION ISSUED 24 SEPTEMBER 2013

NHS England Medical Appraisal Policy. Annex J: References Annex K: Glossary Annex L: Working group

Yale-Medtronic Experience. Richard Kuntz, MD MSc Chief Scientific, Clinical and Regulatory Officer Medtronic

HIPAA-Compliant Research Access to PHI

De-identification, defined and explained. Dan Stocker, MBA, MS, QSA Professional Services, Coalfire

The Impact of Sustainability in Manufacturing Companies Globally

Tools for De-Identification of Personal Health Information

De-Identification of Health Data under HIPAA: Regulations and Recent Guidance" " "

Comments of the World Privacy Forum To: Office of Science and Technology Policy Re: Big Data Request for Information. Via to

BEFORE USING THIS GUIDANCE, MAKE SURE YOU HAVE THE MOST UP TO DATE VERSION GUIDANCE 2 POLICY AREA: INFORMATION GOVERNANCE

Strengthening Public Sector Transparency and Privacy

PUBLIC CONSULTATION ISSUED BY THE PERSONAL DATA PROTECTION COMMISSION

Population Health Informatics & Delivering the Transforming Services Together programme. Luke Readman, CIO

The deployment & role of physician assistants/associates in practice

DATA MINING - 1DL105, 1DL025

How To Respond To The Nti'S Request For Comment On Big Data And Privacy

(Big) Data Anonymization Claude Castelluccia Inria, Privatics

ARTICLE 29 DATA PROTECTION WORKING PARTY

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - De-identification of PHI 10030

HIPAA POLICY REGARDING DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION AND USE OF LIMITED DATA SETS

Protecting Health and Care Information. A consultation on proposals to introduce new Regulations

Administrative Services

LOBLAW COMPANIES LIMITED MANDATE OF THE BOARD OF DIRECTORS

Board Self-Evaluation Questionnaire

IAPT Data Standard. Frequently Asked Questions

Recap of Thursday. Toya Paynter, Chair

HIPAA Basics for Clinical Research

Principles and Best Practices for Sharing Data from Environmental Health Research: Challenges Associated with Data-Sharing: HIPAA De-identification

HSCIC Audit of Data Sharing Activities:

ATOMISATION: THE CROWN JEWELS OF THE IDEAL CYBER SECURITY MODEL

SESSION DEPENDENT DE-IDENTIFICATION OF ELECTRONIC MEDICAL RECORDS

Privacy Challenges in the Internet of Things (IoT) a European Perspective

Newsletter July, 2007

How To Protect Your Health Data From Being Used For Research

VALUE ANALYSIS TEAM (FORMERLY KNOWN AS MATERIALS USE EVALUATION MUE) POLICY

Executive Diploma in Big Data Management & Analytics

The Research Capability Programme. Peter Knight, Group Programme Director

Analysis of Variance (ANOVA) Using Minitab

Re: Guidance for Industry Fees for Human Drug Compounding Outsourcing Facilities Under The Federal Food, Drug and Cosmetic Act

STELLENBOSCH UNIVERSITY DEPARTMENT OF CIVIL ENGINEERING POST GRADUATE STUDIES AT THE CHAIR IN CONSTRUCTION ENGINEERING AND MANAGEMENT

EPSRC Cross-SAT Big Data Workshop: Well Sorted Materials

Privacy Techniques for Big Data

INCOSE Enterprise Working Group (ESWG) Charter

Comments of the EDPS in response to the public consultation on

Abstract. It s peace of mind knowing that we ve done everything that is possible to meet industry standards for de-identification. Dr.

Big Data, Not Big Brother: Best Practices for Data Analytics Peter Leonard Gilbert + Tobin Lawyers

Online Behavioral Advertising (OBA) Forum

1.2: DATA SHARING POLICY. PART OF THE OBI GOVERNANCE POLICY Available at:

From metabiobanks to translational research platforms: Integrating Big Data through CRIP Tools

Data Quality Policy SH NCP 2. Version: 5. Summary:

Department of Human Services Health Services Committee Senator Judy Lee, Chair August 18, 2015

Ann Cavoukian, Ph.D.

Pseudonymisation Implementation Project (PIP) Reference Paper 4

The collection, linking and use of data in biomedical research and health care: ethical issues

D-CRIS Information Governance Assurance

Better Access to Medicare Mental Health Items and Psychology Providers

Privacy and EHR Information Flows in Canada. EHIL Webinar Series. Presented by: Joan Roch, Chief Privacy Strategist, Canada Health Infoway

Training for de-identifying human subjects data for sharing: a viable library service

Risk management, information security and privacy compliance. new meeting of minds or ships in the night?

Synapse Privacy Policy

The Health Foundation is an independent charity working to improve the quality of healthcare in the UK.

Data De-identification and Anonymization of Individual Patient Data in Clinical Studies A Model Approach

Foreword by Prof. Sir Kenneth Calman and Mr David Ardron Introduction Background Aim Scope and Applicability...

North West London Whole Systems Integrated Care Information Sharing and Hosting Agreement

Information Governance in Dental Practices. Summary of findings from ICO reviews. September 2015

CODE of PRACTICE on SECONDARY USE of MEDICAL DATA in SCIENTIFIC RESEARCH PROJECTS

ACEA PRINCIPLES OF DATA PROTECTION IN RELATION TO CONNECTED VEHICLES AND SERVICES

Selecting Statistical Software for Six Sigma

Winthrop-University Hospital

Transcription:

13 th March2014 ChristopherGraham, InformationCommissioner, WycliffeHouse,WaterLane, WILMSLOW,CheshireSK95AF DearChris, Complaint:NHSDataStorageintheGoogleCloud WearewritingaboutrecentdisclosuresoftheuseofNHSdatabyPAconsultingandwerequest thatyourofficeinvestigateapparentlyseriousbreachesofthedataprotectionact1998. Background Aspartofadataanalyticsproject,theNHSInformationCentre(NHSIC) apredecessorofthe Health&SocialCareInformationCentre(HSCIC) enteredintoanagreementtosharehospital EpisodeStatistics(HES)datawithPAConsultingGroup(PA)inNovember2011.Thedata sharingagreementallegedlyimposesanumberofrestrictionsonpa suseofthehesdata, includingalimitationonthenumberofpeoplethatcanaccessthedata,arestrictiononsharing thedatawiththirdparties,andanobligationtoerasethedatafollowingtheterminationofthe agreement. AccordingtoanHSCICpressstatement,theshareddatasetsinclude pseudonymised HESon allnhsinpatienttreatments,outpatientappointmentsanda&eattendancesinengland. 1 Each HESrecordgenerallycontainsabroadrangeofinformationaboutindividualNHSpatients,such asagegroup,genderandethnicity,diagnosticandtreatmentcodes,andinformationaboutthe 1 HSCIC%Statement:%Use%of%data%by%PA%consulting,3March2014,availableat: http://www.hscic.gov.uk/article/3948/statement_use_of_data_by_pa_consulting. 2 See,HSCIC,What%HES%data%are%available?,availableat:http://www.hscic.gov.uk/hesdata. 1

locationwherethepatientwastreatedandwherehe/shelives. 2 BydefaultHESdatacontain thepatient spostcodeanddateofbirth,whichincombinationareenoughtore_identifyabout 98%ofpatients;itisunclearwhetherthesedatawereredactedinthiscase.Evenwithoutthese data,longitudinalmedicalrecordsareoftenveryeasytore_identify. InordertoanalyseandmanipulatetheHESdata,PAdecidedtousethird_partytoolssupplied bygoogle.specifically,pauploadedthehesdatatogooglestorage,andprocesseditviaa Googleanalyticsservice,GoogleBigQuery.(GoogleBigQueryisacloudservicethatallows interactiveanalysisoflargedatasets.)whilelittleisknownabouttheagreementbetweenpa andgoogle,padidprovidenhsicwithawrittenconfirmationthatnogooglestaffwouldgain accesstothehesdataandthat accesscontinuedtoberestrictedtotheindividualsnamedin thedatasharingagreement. 3 NeitherPAnorHSCIChaveprovidedanyinformationaboutthe assurances,ifany,theyreceivedfromgoogle.itisdifficulttoseehowpacouldexcludethe possibilitythatgoogleengineersmightaccessthedata,whetheroftheirownvolitionor pursuanttoalawfulaccessrequestfromausgovernmentagency,andthisraisesthequestion ofwhetherpa sconfirmationwasanythingmorethanjustwishfulthinkingoradesperate attemptatblameavoidance. Whenthedetailsofthisdata_sharingarrangementbecamepublic,stakeholderswerehighly concerned.mpsarahwollaston,whositsonthehealthselectcommittee,tweeted:"sohes datauploadedto'google'simmensearmyofservers',whoconsentedtothat@hscic?" 4.This concernisunsurprisinggivengoogle srecordonprivacy;inrecentyears,googlewasfoundto havebreachedeudataprotectionlawbytheeu sarticle29workingparty,aswellasby regulatorsinanumberofmemberstates. Issues InrespectofthoseHESrecordsthatqualifyaspersonalhealthinformation,arangeofcomplex legalandprofessionalobligationsrestrictorprohibittheuseanddisclosureofsuchdata, includingtheukdataprotectionact1998,thecommon_lawdutyofconfidence,thehuman 2 See,HSCIC,What%HES%data%are%available?,availableat:http://www.hscic.gov.uk/hesdata. 3 HSCIC%Statement,%supran.1. 4 https://twitter.com/drwollastonmp/status/440275592655949824. ComplainttoICOregardinguseofNHSdata 2

RightsAct1998,theNHSConfidentialityCodeofPractice,andtheInformationSecurityNHS CodeofPractice. 5 AlthoughPA spressstatementclaimsthattheshareddatasetdoesnotcontainanyinformation thatcouldbelinkedaspecificindividual, 6 itisquiteunclearhowthatstatementcouldbe correct.evenifthehesdatasetstoredingoogle scloudservicesdoesnotcontainapatient s nameornhsnumber,thedatatheremaybeeasytolinktoaspecificindividualandhencewill oftenconstitutesensitivepersonaldata.arecordofacatheterablationprocedureat HammersmithHospitalonOctober19th2003canbelinkedwithhighprobabilitytoTonyBlair onthebasisofpressreportsofhistreatmentforatrialfibrillation,andifthedatasetpermits episodesrelatingtohimtobelinked,thensensitivepersonalinformationrelatingtohisother treatmentepisodesmaybeveryeasytofind.alargeresearchliteraturegoingbacktothelate 1970sexploresthesubstantialriskthatindividualsmaybere_identifiedfrompseudonymised datasets. 7 ThedatasenttotheGoogleCloudmustthereforebetreatedaspersonaldata,and indeedassensitivepersonaldata,forthepurposesofeuropeanandukdataprotectionlaw evenifpostcodesanddatesofbirthwereinfactremoved.wenotethatneitherhscicnorpa hassofarclaimedthatpostcodeswereremoved. Werequestthatyouconductaninvestigationtodeterminewhetherthepersonalhealth informationofnhspatients,includingthesignatoriestothisletter,wasuploadedtogoogle systems. Ifso,storingandprocessingsuchdatawouldprobablybreachnumerousrulesandregulations. Inparticular: Personalhealthinformationshouldnotbedisclosedtothirdpartiesexceptinvery limitedcircumstances.thedata_sharingagreementbetweennhsicandparestricts thenumberofindividualswhocanhaveaccesstothehesdata;pahasmadeaspecific commitmenttonhsicnottoallowgooglestafftoaccessthedata.yetitisunclearthat theygotadequateassurancesfromgoogle. 5 TheUKDepartmentofHealthhasdevelopedanonlineInformationGovernanceToolkit(IGT)thatconsolidatesall applicablelegalrulesandcentraldohguidanceasasetofinformationgovernance(ig)requirements.theigt enablesnhsorganisationsandthirdpartiesprovidingservicestonhsorganizationstoassesstheircompliance withcurrentlegislation,governmentpolicyandnationalguidance. 6 %PA%Consulting%Group%statement:%use%of%HSCIC%data,3March2014,availableat: http://www.paconsulting.com/introducing_pas_media_site/releases/pa_consulting_group_statement_3_march_ 2014/. 7 It has been clearly established (and has long since been known amongst academics, researchers and practitioners) that such minimal "de-identification" does not prevent data from large databases from being re-identifiable. ComplainttoICOregardinguseofNHSdata 3

ThepurposesforwhichpersonalinformationofNHSpatientscanbeusedarerestricted. Asageneralrule,unlessthereisalegalbasisfortheuseofdataforotherpurposes(e.g., patient sexpressconsent),personalinformationofpatientsmayonlybeusedto providecareservicesandforrelatedpurposes(e.g.,toimprovethequalityofhealthcare managementorservicedelivery).inparticular,theuseofpatienthealthinformationfor commercialpurposes,includingtheprovisionofadvertising,isprohibited.butgoogle s cloud_serviceagreementsallowgoogletoprocesscustomers dataforopen_endedand vaguepurposes,whichleavesopenthepossibilitythatgooglemaybeprocessing personalhealthinformationforitscommercialbenefitandinparticulartooptimisethe provisionofadvertising. Detailedsecuritystandardsapplytotheprocessingandstorageofhealthinformation. Amongotherobligations,theUKDepartmentofHealth(DoH)haspublisheddetailed guidanceonsuitableencryptionalgorithmsfornhspatientdata. 8 Itisunclearthatthe securitymeasuresgoogleappliestoitscloudservicesarecompliant.wereferyouin particulartorecentdisclosuresbyedwardsnowdentotheeffectthatforeign intelligenceagencieswereroutinelyharvestingpersonalinformationofgoogle customersontheunencryptedbackbonelinksbetweenitsdatacentres,andthatgchq didnotinsistonminimisationofpersonalinformationofukcitizenswithin5eyes (unlikethecsewhichinsistedonsuchminimisationforcanadiancitizens). ThetransferofNHSpatients personalinformationoutsidetheukisheavilyrestricted. Inparticular,theDoHguidancemakesclearthatsuchinformationmustnotbe transferredoutsidetheukunlessanappropriateassessmentofriskhasbeen undertakenandappropriatecontrolsimplemented;thetransferisnotifiedtoyour office;thedecisiontotransferthedatahasbeentakenbyaseniormanagerwiththe requiredauthority;anassurancestatementisobtainedfromthirdpartiesthatprocess thedataoverseas;and inmostcases thepatientstowhomthedatarelateshave beennotifiedaboutthetransfer.asgooglehasnodatacentresintheuk,andtakesthe positionthatitscustomers datamaybestoredinanyofitsdatacentres 9,managers contemplatingtheuseofgoogleservicesforpersonalhealthinformationshouldhave properlyfollowedtheprocedureforsendingsuchinformationoverseas. 8 See,NHSInformationGovernance,Guidelines%on%Use%of%Encryption%to%Protect%Person%Identifiable%and%Sensitive% Information,2008,availableat:http://systems.hscic.gov.uk/infogov/security/encryptionguide.pdf 9 See,ITNews,Google:%Who%cares%where%your%data%is?,9June2011,quotingChiefsecurityofficerforGoogleApps, EranFeigenbaum,availableat:http://www.itnews.com.au/News/260041,google_who_cares_where_your_data_ is.aspx. 4 ComplainttoICOregardinguseofNHSdata

Personalhealthinformationmustbedeletedwhenitisnolongerrequiredforaspecific purpose.thiscommitmenthasapparentlybeenrepeatedinthedatasharingagreement betweennhsicandpa,sothatpaissupposedtodeletethehesdataoncethe agreementterminates.butitisunclearthatgoogleissubjecttosimilarrestrictions. Indeed,inthepastGooglehasfailedtoprovidestrongcommitmentstoitscloud customerstodeletedataduringprovisionandafterterminationoftheservice. ThestorageoflargeamountsofsensitivepersonalhealthinformationinaUScloudserviceis particularlyconcerningbecauseoftheprecedentitmayset.googlemayadvertiseamottoof don tbeevil andsomeofusindividuallymaybepreparedtoacceptassurancesfromthem (oneofus Anderson isaformergoogleemployee).howevernotallukdatasubjectswillbe preparedtoacceptsuchassurances noteveryoneusesgmail.furthermore,therearemany otherserviceproviderswitharangeofcorporatecultures.someoverseasserviceprovidersare verymuchlesstrustworthy,andfallcompletelyoutsideyourregulatoryscopeastheyhaveno UKpresence;weareconcernedthatourpersonalhealthinformationwillenduptherenext.Yet thisneednothappen;therearemanyukandeuserviceproviderswhofallcompletelywithin thescopeofthedataprotectiondirective,andwenotethatevenmicrosoftwillnowstore personaldataintheeuifcustomersdemandit. Questions WerequestthatyouinvestigatethepotentialbreachesofUKlawsandregulationsresulting fromtheuploadingofpatientdatatogoogle scloudservices.thisrelatesnotjusttothedata ProtectionAct1998directly,buttotherelevantNHSregulationsandtherelevanthuman_rights law(includingivfinland)astheseallsetthereasonableexpectationsthatpatientshadwhen theysuppliedtheirinformationtothenhs,andthusarefundamentalforfairprocessing. Amongthequestionsthatmustbeasked: PreciselywhichpatientdatawerestoredoutsidetheUK?Didtheyrelatetosingle episodesorlinkedrecords?didtheycontainpostcode,dateofbirth,nhsnumber,ora pseudonymsuchanencryptednhsnumber?thestatementsfrompaandhscicdeny thatanameorfulladdresswasincluded,andpadeniedtherewasafulldateofbirth. Neitherhasdeniedpostcode,oryearofbirth,ortheuseofapseudonymthatwould enableepisoderecordstobelinked.hscicmentions pseudonymised data,which suggestsapseudonym.weaspatientsanddatasubjects(aswellasadvocates)would liketoknowthedetails. ComplainttoICOregardinguseofNHSdata 5

WhatkindofprivacyriskassessmentwascarriedoutbyPAandNHSICpriortodeciding tostore,ortoconsenttothestorageof,thedataingoogle scloudservices? IfdataweretransferredunderSafeHarbor(asonemightexpect),theControllerstill needsanart.17contractgoverningsecurityofprocessing.doesthiscontractexist,and ifso,haveitsadequacyandlawfulnessbeenverified?canweseeit? HowareHESdataprotectedagainstaccessbyunauthorisedparties,includingGoogle engineers?wereanyencryptionmethodsusedtoprotectthedata(otherthanthetls encryptionusedtoprotectthelinkfromtheclienttothegooglefrontend)andwho hasaccesstotheencryptionkeys? WhatassuranceswereobtainedthattheHESdatacouldonlybeusedforhealthcare purposes?inparticular,hasgooglemadeanycommitmentsnottousethedataforits owncommercialpurposes,suchastargetingadvertsoranalytics? AsthedataweretransferredtoserversoutsidetheUK,havetherequirementsunder thedataprotectionact1998andthedohguidancebeencompliedwith? WhatmeasureshavethepartiestakentoensurethattheHESdatacannotbeaccessed byforeigngovernmentagenciesusingtheirlocalpowers,ratherthanhavingtogo throughuklawful_accessprocedures? WereadequatearrangementsmadetoensurethatGoogle sdataprocessingactivities canbeaudited? HasthespecificcommitmenttoerasetheHESdataoncethedatasharingagreement terminatesbeenextendedtogoogle? Weaskyoutoinvestigatetheseissuesasamatterofurgency. ComplainttoICOregardinguseofNHSdata 6

Yourssincerely, RossAnderson Chair, FoundationforInformationPolicyResearch Ross.Anderson@cl.cam.ac.uk PhilBooth Coordinator, medconfidential phil@medconfidential.org NickPickles Director, BigBrotherWatch Nick.Pickles@bigbrotherwatch.org.uk ComplainttoICOregardinguseofNHSdata 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information