Clearly when data is held by a third party, a different set of risks exist – from concerns about foreign Government access to the use of the data by the third party for other purposes. Patients appreciate their information will be held by the NHS but do they think it will end up on a server in California run by companies who base their business model on knowing more about people? That is perhaps what is most troubling about the revelation that PA Consulting uploaded the entire NHS England hospital patient database was uploaded it to Google.
The point was highlighted by Sarah Wollaston MP, a member of the Health Select Committee, who tweeted: “So HES [hospital episode statistics] data uploaded to ‘google’s immense army of servers’, who consented to that?”
The Norweigan government previously decided that no public information would be uploaded to cloud services because of privacy concerns. Jørgen Skorstad, a senior legal advisor to the Norwegian data protection authority, said: “The municipality will not be using Google Apps when handling cases vis-à-vis the citizens of the municipality. Personal information normally included in these cases could be information related to taxation issues, public school, and other public services such as health care. These will not be processed with Apps.”
This highlights the importance of strong procurement rules, so that where sensitive information is being uploaded, it is only used for the purpose patients consented to. That concern goes to the heart of recent controversies about care.data. Where cloud storage is used, strict and clear contracts must be in place to protect patient privacy. We need full transparency of what data has been stored where and what protections were in place, both in the past and going forward. The public should be clear about the rules in place when data leaves the NHS and the obligations of how their data will be handled by third parties.
Medical data is our most sensitive personal information and people are rightly concerned about what happens to it. The NHS should make absolutely clear that no patient data will be uploaded to a cloud storage system that in any way monitors or analyses the contents of the data for commercial purposes, even if the end result is not commercial in nature.