When patient privacy and google collide

Clearly when data is held by a third party, a dna-3different set of risks exist – from concerns about foreign Government access to the use of the data by the third party for other purposes. Patients appreciate their information will be held by the NHS but do they think it will end up on a server in California run by companies who base their business model on knowing more about people? That is perhaps what is most troubling about the revelation that PA Consulting uploaded the entire NHS England hospital patient database was uploaded it to Google.

The point was highlighted by Sarah Wollaston MP, a member of the Health Select Committee, who tweeted: “So HES [hospital episode statistics] data uploaded to ‘google’s immense army of servers’, who consented to that?”

The Norweigan government previously decided that no public information would be uploaded to cloud services because of privacy concerns. Jørgen Skorstad, a senior legal advisor to the Norwegian data protection authority, said: “The municipality will not be using Google Apps when handling cases vis-à-vis the citizens of the municipality. Personal information normally included in these cases could be information related to taxation issues, public school, and other public services such as health care. These will not be processed with Apps.” 

Clearly Google’s business model depends on using data to target advertising. From email to docs, it is part of their one-size privacy policy that the contents of the data can be analysed and used to target advertising.

This highlights the importance of strong procurement rules, so that where sensitive information is being uploaded, it is only used for the purpose patients consented to. That concern goes to the heart of recent controversies about care.data. Where cloud storage is used, strict and clear contracts must be in place to protect patient privacy. We need full transparency of what data has been stored where and what protections were in place, both in the past and going forward. The public should be clear about the rules in place when data leaves the NHS and the obligations of how their data will be handled by third parties.

Medical data is our most sensitive personal information and people are rightly concerned about what happens to it. The NHS should make absolutely clear that no patient data will be uploaded to a cloud storage system that in any way monitors or analyses the contents of the data for commercial purposes, even if the end result is not commercial in nature.



  1. Anon
    4th March 2014

    The NHS needs to be stopped (although already too late in this case). How dare it put HES data on Google servers. According to NHS England’s website it quotes from The NHS Constitution ‘The NHS belongs to the people’. If this is the case then why are we finding out that they are giving our most personal data away and storing it in totally inappropriate places? Surely if it belongs to the people then ‘the people’ should have control?

  2. Phillip Dundston
    5th March 2014

    Here’s a hint:

    It fucking doesn’t.

    Not until we make our voices heard and take control BACK.

  3. Today’s Recommended Reads « Google Monitor | Holding Google Accountable
    6th March 2014

    […] When Patient Privacy and Google Collide […]

  4. Alan
    13th March 2014

    The article misses to point out that the data was uploaded as the consultancies hardware was too slow to extrapolate. I believe the purpose was for a presentation. The point missed is how did the consultancy firm gain unbridled access, who else has the raw data and what has it been used for to date? Until these questions have been answered I can only recommend non cooperation with any official body unless absolutely necessary.

  5. Anon
    19th March 2014

    I have recently learnt the hard way that the NHS can’t be trusted with out private data. Sensitive photos taken of my skin condition have recently been handed over to a computing company for scanning into electronic medical records without the additional security measures proposed by staff. If you are a patient at Amersham Dermatology, I would advise you to check what they have done with your personal information!

  6. cj
    21st March 2014

    NHS = database of invaluable data which is a huge temptation for unimaginable potential income for Government/Private bodies. Assurance AND reform is needed ensuring that that can NEVER be sold/used for any other purpose than to provide Healthcare.