Thursday, March 27, 2014

[infosecurity-magazine] NHS Care.data PR Fiasco Continues as Google Pulls Out of Secret Deal

First the NHS was forced to delay its care.data project (storage of all patient GP health data in a central data warehouse) for six months; then it was learned that PA Consulting had obtained 27 DVDs of hospital event statistics (HES) and uploaded them to Google cloud (followed by a complaint being raised with the ICO); and now Google has pulled out of search discussions with the NHS because it is 'too toxic'.

Care.data is an NHS England project to store all GP patient data in a central database housed by the Health and Social Care Information Center (HSCIC). There it was to be amalgamated with the HES data already housed, and made available to researchers (and effectively anyone who would pay for it). But the project was botched from the beginning. Patients were given insufficient and confusing information, including being told they could opt out when the could not. In the end, the government decided to delay the project (data was originally due to be uploaded next month) for six months.
It was subsequently learned that the PA Consulting marketing firm had earlier obtained 27 DVDs of HES data from HSCIC, and had uploaded that data to Google cloud for analysis under Google's BigQuery. "The alternative was to upload it to the cloud using tools such as Google Storage and use BigQuery to extract data from it… Within two weeks of starting to use the Google tools we were able to produce interactive maps directly from HES queries in seconds," wrote PA Consulting at the time.
This caused further consternation, with privacy activists asking how interactive maps could be obtained from supposedly anonymized data. Two weeks ago Ross Anderson, chair at the Foundation for Information Policy Research; Phil Booth, coordinator at medConfidential; and Nick Pickles, director at Big Brother Watch, together filed a complaint with the ICO requesting that the issue now be examined in relation to the Data Protection Act.
"We request that you investigate the potential breaches of UK laws and regulations resulting from the uploading of patient data to Google's cloud services," says the complaint to the ICO. "This relates not just to the Data Protection Act 1998, but to the relevant NHS regulations and the relevant human-rights law (including I v Finland) as these all set the reasonable expectations that patients had when they supplied their information to the NHS, and thus are fundamental for fair processing."
Now the whole concept of sharing health data has suffered a further blow. The Times (paywall) yesterday reported that "Google has pulled out of a groundbreaking deal to include NHS data within its search results, blaming a 'toxic' backlash against controversial plans to link GP patient records." Google had been in secret talks with the NHS over plans to display hospital statistics against hospital searches, but abandoned the idea last month during the media storm over care.data, "which sources said made 'the atmosphere too toxic to proceed.'"
A Google spokesperson told The Times, "We think the secure use of data could provide real benefits for the NHS and for patients. It could help answer patients' queries about the best hospitals to treat their symptoms, with the shortest waiting times and so on. But this is an important matter that needs to be debated between the NHS, the Government and the public."

No comments:

Post a Comment