Here in the UK, we are a signatory to the European Convention of Human Rights, which among other things includes an explicit right to privacy (considerably stronger than the implicit privacy rights acknowledged in the US, which are not enumerated directly by the US constitution).
Anyone running a database with personal information in it is supposed to register with the Information Commissioner's Office and follow best practice guidelines for ensuring confidentiality.
So, Google, am I pregnant?
I'm asking because it now appears that management consultants PA Consulting acquired the hospital admission and treatment records of every NHS patient in England and Wales (all 47 million of them). This is almost certainly inappropriate, and comes at a point when the roll-out of the care.data national health statistics database is on hold for six months over concerns about who would be able to access it and whether the records could be de-anonymized. Now it appears that PA Consulting staff uploaded the entire hoard to Google servers based outside the UK—a process that took weeks, as the data came to them archived on 27 DVDs (making it on the order of 125Gb, after compression).
The system PA uploaded your personal hospital records to is said to be Google BigQuery. It supports one-click database sharing with any other Google account, and is hosted on servers outside the UK (and possibly outside the EU, in breach of the EU Data Protection Directive). And what they uploaded was the entire shooting match—full personal medical records indexed by NHS patient number—with enough additional data (post code, address, date of birth, gender) to make de-anonymizing the records trivial.
(Side note: In the USA, doing this would be a federal offence under Title II of HIPAA. In the UK, it would appear to be governed by the Data Protection Act (1998) and other healthcare-related acts, as applicable.)
Ben Goldacre has been on top of the NHS care.data fiasco from the start; to my eyes it looks like an inevitable balls-up, collateral damage arising from the Conservative/LibDem push to privatize the NHS piecemeal. The goals of care.data are laudable: epidemiology and hospital care quality can really benefit from the statistics it was intended to provide. However, implementing it by throwing everyone's medical records onto Google is probably not the way forward. Especially given the potential for abuse.
Random scenario: a burglary gang gains access to the database and can thereby identify patients aged over 80 living alone in up-market neighbourhoods who have recently been admitted to hospital with conditions suggesting that they will be vulnerable but not supported by full-time carers. A religious organization targets men of a certain age who are HIV positive. Or women below a certain age who are single and pregnant. Or an insurance company notes that a patient made a mistake in their declaration of a pre-existing condition, and thereby invalidates their claim. An identity thief uses the postcode and date of birth, in conjunction with a copy of the public electoral register, to pick victims. The possibilities are endless.
And the sting in the tail?
Per Twitter, Dr Goldacre just announced that hospital records data on individuals released by the Health and Social Care Information Centre in September 2013 was publicly available online. (The web site in question has now been taken down.) He's describing the breach as "catastrophic", and it's quite likely that this is an accurate description.
Folks, this is probably the biggest personal data breach in British history. In terms of its intrusiveness and depth, it may be the biggest ever. We are told that worse is to come. Watch this space for updates.
PS: Yr hmbl crspndnt has seldom felt so happy about living in Scotland. Hint: the NHS is a devolved issue.
UPDATE: It turns out that the catastrophic follow-through wasn't. (For a while, it looked like a company called Earthware was demo'ing a visualization tool for NHS patient info from HSCIC on the public internet: HSCIC have now clarified that this was using dummy data. Website got taken down in the general panic before it became clear that it was a mock up rather than an even worse breach of confidentiality. At least someone's behaving responsibly.)