Using Googles cloud services to process health care records is a serious violation of the U.K.s data protection act, privacy groups said in a complaint filed with the countrys data protection authority.

U.K. privacy groups medConfidential, Big Brother Watch and the Foundation for Information Policy Research filed the complaint with the Information Commissioners Office (ICO) on Thursday, following recent disclosures that the firm PA Consulting had obtained medical data and uploaded it to Googles cloud for analysis.

In 2011, the predecessor to the U.Ks Health & Social Care Information Centre (HSCIC) entered into an agreement to share the Hospital Episodes Statistics (HES) patient database with PA Consulting, according to the information center.

Hospital Episode Statistics processes over 125 million admitted patient, outpatient and accident and emergency records each year, according to the information center.

Each HES record generally contains a broad range of information about individual patients, such as age group, gender and ethnicity, diagnostic and treatment codes, and information about where the patient was treated and lives. By default HES data also contain the patients postcode and date of birth, which in combination are enough to personally identify about 98 percent of patients, the groups said in the complaint.

The data was pseudonymized and used in an analytics project, PA Consulting said in a news release.

However, to analyze the vast trove of patient data, PA Consulting uploaded the data to Google and processed it via Googles analytics service BigQuery, a cloud service that allows interactive analysis of large data sets. That never should have happened, the groups said in their complaint.

We do not believe that population-scale data sets of patient data should be uploaded to any cloud provider unless certain rigorous conditions have been met, said Phil Booth, coordinator of medConfidential, via email Friday.

Such sensitive data should never be uploaded to a provider outside the jurisdiction of the U.K. and EU Data Protection authorities and EU human rights framework. If such an action isnt unlawful, it should be, he added.

According to PA Consulting, the dataset does not contain information that can be linked to specific individuals and is held securely in the cloud in accordance with conditions specified and approved by HSCIC. Access to the dataset is also tightly controlled and restricted to a project team of up to 12 people, they said.

More here:

Don't upload health care data to Google cloud, UK groups say