Three NGOs have lodged a formal complaint to the Information Commissioner about the fact that PA Consulting uploaded over a decade of UK hospital records to a US-based cloud service. This appears to have involved serious breaches of the UK Data Protection Act 1998 and of multiple NHS regulations about the security of personal health information. This already caused a row in Parliament and the Deparatment of Health seems to be trying to wriggle off the hook by pretending that the data were pseudonymised. Other EU countries have banned such uploads. Regular LBT readers will know that the Department of Health has got itself in a complete mess over medical record privacy.
It will be interesting to see if the ICO has sufficient backbone to take this on and tell the DoH it has been wrong. Any penalties will be paltry because of the powers given to the ICO, but it might make some civil servants pay attention.
Of course, in the event it is found to be wrong, the DoH will simply make an amendment to the law to allow it to do what it wants, just like the change regarding hospital closures.
Press coverage
Going mainstream as it turns out that a number of firms have bought HES data and made it widely available, contrary to law
Interesting how data gets pulled when the privacy of politicians is involved … 🙂