Using Google's cloud services to process health care records is a serious violation of the UK's data protection act, privacy groups said in a complaint filed with the country's data protection authority.

UK privacy groups medConfidential, Big Brother Watch and the Foundation for Information Policy Research filed the complaint with the Information Commissioner's Office (ICO) yesterday, following recent disclosures that the firm PA Consulting had obtained medical data and uploaded it to Google's cloud for analysis.

In 2011, the predecessor to the UK's Health & Social Care Information Centre (HSCIC) entered into an agreement to share the Hospital Episodes Statistics (HES) patient database with PA Consulting, according to the information centre.

Hospital Episode Statistics processes over 125 million admitted patient, outpatient and accident and emergency records each year, according to the information centre.

Each HES record generally contains a broad range of information about individual patients, such as age group, gender and ethnicity, diagnostic and treatment codes, and information about where the patient was treated and lives. By default HES data also contain the patient's postcode and date of birth, which in combination are enough to personally identify about 98% of patients, the groups said in the complaint.

The data was pseudonymised and used in an analytics project, PA Consulting said.

However, to analyse the vast trove of patient data, PA Consulting uploaded the data to Google and processed it via Google's analytics service BigQuery, a cloud service that allows interactive analysis of large data sets. That never should have happened, the groups said in their complaint.

"We do not believe that population-scale data sets of patient data should be uploaded to any cloud provider unless certain rigorous conditions have been met," said Phil Booth, coordinator of medConfidential.

"Such sensitive data should never be uploaded to a provider outside the jurisdiction of the U.K. and EU Data Protection authorities and EU human rights framework. If such an action isn't unlawful, it should be," he added.

According to PA Consulting, the dataset does not contain information that can be linked to specific individuals and is held securely in the cloud in accordance with conditions specified and approved by HSCIC. Access to the dataset is also tightly controlled and restricted to a project team of up to 12 people, they said.

The privacy groups, however, dispute that claim. "Even if the HES dataset stored in Google's cloud services does not contain a patient's name or NHS number, the data there may be easy to link to a specific individual and hence will often constitute sensitive personal data," they said.

The ICO should therefore investigate the potential breaches of UK laws and regulations resulting from the uploading of patient data to Google's cloud services, the groups said.

The ICO did not immediately reply to a request for comment.