I don't understand why the data being on "Google servers" is generating such outrage.
Because Google's systems demonstrably aren't secure (see numerous recent discussions about NSA etc.) and therefore aren't an appropriate choice to transmit or store sensitive personal data under UK data protection rules.
Is your concern that the NSA itself is targeting British health records? If so, what makes you think anyone else is better prepared for this adversary?
Or, if you're talking about someone other than the NSA (which you allude to with your use of "etc"), then who is it? What are they going to do, and why do you feel it's demonstrably more likely to happen with the data on Google's servers? Where would you put the data instead, and how would this help reduce the likelihood of the scenario?
"On a powered-down hard drive in a vault" doesn't count; presumably, PA was given the contract because the potential benefits of the research were believed to outweigh the privacy risks.
The NSA specifically isn't the point, though I do believe their blanket surveillance of the Internet (and the similar surveillance by other government spy agencies such as our own GCHQ) should be considered a hostile act and incur a proportionate response. I simply don't accept that there is any ethical legitimacy to such dragnet programmes or that they bring more benefit than the risk they obviously pose to free, peaceful, democratically governed civilisation.
In any case, Google aren't a part of any government. They are a private, profit-making corporation, and they are in the business of collecting as much data on people as possible for their own benefit, and they evidently cannot comply with the restrictions on handing personal data required by UK law even if they want to. Providing this kind of treasure trove to them should be unthinkable.
I would leave the data in the hands of medical professionals who are subject to medical ethics and confidentiality, kept away from anyone who might have any other ambitions for it. And I would keep it within the range of European data protection law, which is in general considerably stronger (rightly so, IMHO) than the rules in places like the US, though in this particular case if HIPAA is relevant that may not actually be the case.
Edit: Incidentally:
presumably, PA was given the contract because the potential benefits of the research were believed to outweigh the privacy risks.
That "belief" would be a huge assumption, for which I see little evidence in this specific case, nor any historical pattern to suggest it is reasonable. In any case, it was clearly a bad assumption with hindsight, because the privacy risks are evidently not merely risks at this point.
> I would leave the data in the hands of medical professionals
Presumably, the medical professionals aren't also IT professionals. If they want their data to be on a hard drive, and accessible via a network, using some apps, then some group of non-medical professionals is going to need to maintain those services.
Who do you think that should be, and why do you think their systems would be more secure than Google's?
> kept away from anyone who might have any other ambitions for it
What ambitions are you implicitly accusing Google of having? Do you think Google's going to tap into their customers' private files and sell them to a third party?
If not, then what's the actual, non-vague scenario you're worried about?
Who do you think that should be, and why do you think their systems would be more secure than Google's?
The security isn't the only point here. They transferred the data outside of the jurisdiction where our laws apply, and they're not allowed to do that without fulfilling conditions that they appear not to have satisfied.
Note that it is not within the power of PA Consulting to vary these conditions, whatever any contract says, nor are HSCIC above the law in this respect (though some of the relatively recent and dubiously worded get-out-of-jail-free cards like s251 might protect them to some extent).
What ambitions are you implicitly accusing Google of having? Do you think Google's going to tap into their customers' private files and sell them to a third party?
I'm not implicitly accusing them, I'm openly stating that I think they would do tap those files in a heartbeat if (a) it would help them to earn more from their advertising or other profit-generating activities, and (b) they thought they could get away with it.
I regard organisations like Google (and other big data miners like Facebook) as some of the most dangerous entities on the planet today. They respect little other than money, and they have consistently not just pushed the boundaries of what is acceptable behaviour but IMHO (and apparently in numerous other people's opinion and indeed in the law's opinion in many places and on many occasions) stepped far over the line. They can continue to do this because the regulators who should be reining them in are toothless and because they have an army of lawyers and lobbyists who exemplify just about everything that makes those professions unpopular.
I do very little with Google services myself, by deliberate choice, and I sure as hell do not consent to anyone breaching their duty of confidentiality regarding my medical records and giving them to Google either.
> I'm openly stating that I think they would do tap those files in a heartbeat if (a) it would help them to earn more from their advertising or other profit-generating activities, and (b) they thought they could get away with it.
Wow. Do you feel that Google has ever done anything so flagrantly over the line before? If so, when?
Do you feel that Google has ever done anything so flagrantly over the line before? If so, when?
I'm not sure they've had the chance to do anything this flagrantly over the line, because I'm not aware that they've ever had access to this kind of data before. To be clear, if they didn't know they had this data, I don't think it's fair to blame them for anything anyway. That would clearly be unreasonable. But I think once notified they should be required to delete the data immediately, and I don't trust them as far as I can throw them not to abuse any access they do have if they can come up with enough legal sophistry to convince themselves it's somehow justified.
To answer your original question, for other over-the-line cases relating to privacy specifically, I consider some of the Google Street View practices seriously shady, for example. Not to mention some of the creepy things they have been known to do on just the normal Google web sites, where most people probably assume what they're typing doesn't get sent to Google until they hit search/send/whatever. And of course the whole attempt to unify everything under the banner of Google+ and real names is pretty much second only to Facebook in terms of turning everyone into a database record. Then there's Google Glass.
I'm firmly of the view that technology is neutral, and not inherently good or evil. It is how the technology is used that counts. And in that respect, I think Google have now proven to have evil tendencies many, many times.
In at least four cases, Barksdale spied on minors' Google accounts without their consent, according to a source close to the incidents. In an incident this spring involving a 15-year-old boy who he'd befriended, Barksdale tapped into call logs from Google Voice, Google's Internet phone service, after the boy refused to tell him the name of his new girlfriend, according to our source. After accessing the kid's account to retrieve her name and phone number, Barksdale then taunted the boy and threatened to call her.
In other cases involving teens of both sexes, Barksdale exhibited a similar pattern of aggressively violating others' privacy, according to our source. He accessed contact lists and chat transcripts, and in one case quoted from an IM that he'd looked up behind the person's back. (He later apologized to one for retrieving the information without her knowledge.) In another incident, Barksdale unblocked himself from a Gtalk buddy list even though the teen in question had taken steps to cut communications with the Google engineer.
Because Google's systems demonstrably aren't secure (see numerous recent discussions about NSA etc.) and therefore aren't an appropriate choice to transmit or store sensitive personal data under UK data protection rules.