Digital Health Legal
Back to Contents

Volume: 5 Issue: 2
(February 2018)

nhs digital publishes guidance storing data cloud nhs digital published guidance document entitled ‘nhs social care data off-shoring use public

Europe US UK

Share This Page

NHS Digital publishes guidance on storing data in the cloud

NHS digital published a guidance document entitled ‘NHS and social care data: off-shoring and the use of public cloud services’ (‘Guidance’) on 19 January 2018, which seeks to assure NHS and social care organisations that they can store health and care data, including confidential patient information, in the public cloud including services that make use of data offshoring, and explains the safeguards that must be in place in order to use such services. NHS Digital’s press release on the matter, states that the Guidance will ensure that organisations know how to use cloud solutions safely and securely, especially in the light of the tighter restrictions on the processing and transfer of personal data being brought in by the General Data Protection Regulation (‘GDPR’) in May.

The Guidance states that the responsibility for the security of data lies with local data controllers in healthcare organisations, and that in line with recommendations made by the National Data Guardian, Senior Information Risk Owners (‘SIROs’) at each organisation should carry out risk assessments of potential cloud service providers to ensure that they have the appropriate security arrangements in place using the National Cyber Security Centre’s (‘NCSC’) Cyber Essentials as a guide. The Guidance lists four steps for health organisations to take to inform their risk-based decision about whether to host data on a cloud service: (1) understand the data, (2) assess the risks, (3) implement controls, and (4) monitor the implementation. The Guidance additionally provides further detail on acceptable locations for data offshoring and recommends using the help and advice published by the Information Commissioner’s Office (‘ICO’).

“The NHS has put out a range of guidance on cloud usage, as have the ICO and the NCSC,” said Philippe Bradley-Schmieg, Associate at Covington & Burling. “Just a few months ago, the NCSC told the IGA Conference that the cloud can often be more secure than on-premises data storage. As for new laws like the GDPR, they’re agnostic - an NHS organisation is going to face similar compliance requirements whether it uses the cloud or not. The big question is whether it will be prepared to go it alone in terms of securing its data on-premises, or if it would prefer to use cloud service providers that have made security and GDPR compliance their priority.”

The Guidance states that benefits to using cloud services include that cloud providers have a significant budget to pay for updating, maintaining, patching and securing their infrastructure, which means that they can mitigate many of the common risks NHS and social care organisations face; cloud services may provide other advantages such as lowering IT costs and the ability to develop, test and deploy services quickly without large expense; and as more services for patients and staff move online and the need for better data interoperability increases, it is likely that the use of cloud services will become more prevalent in NHS and social care organisations.

“The Guidance is useful in providing reassurance but stops short of providing truly practical advice that could be used to judge whether a proposed cloud arrangement will be compliant,” comments Matthew Godfrey-Faussett, Partner at Pinsent Masons. “The Guidance would benefit from the addition of case studies designed to help the reader see how relevant policies should be applied in practice. There are general statements about the need to seek specialist advice, but there is very little by way of practical guidance as to sources of advice and how input should be secured in a way that is both focussed and cost effective.”

The Guidance lists the border restrictions on health data offshoring, stating that NHS and social care providers may host NHS data using cloud services located within the European Economic Area (‘EEA’), those based in any country that possesses an adequacy status from the European Commission, or services in the US that are covered by the Privacy Shield. “I would expect data controllers to feel uncomfortable storing health data in offshore locations given the backdrop of data security concerns in the NHS in recent times,” adds Godfrey-Faussett. “Frequently that discomfort will be justified because of a lack of emphasis in the procurement process on security and compliance. The drive to use price as the primary criterion when making procurement decisions is likely to rob the NHS of its ability to access higher quality cloud solutions and as a result, many of the potential benefits of the cloud could be cancelled out by the NHS having to carry an increased level of operational and contractual risk.”

“The NHS has been hardest hit when the data was closest to home, on-premises in our hospitals,” concludes Bradley-Schmieg. “Thanks to the internet, what matters isn’t where the data is stored, but whether you use a trustworthy host. The new Guidance even ‘highly recommends’ that organisations consider storing copies of their most high-risk data both in and outside the UK, for added resilience. I think many of WannaCry’s victims might wish their data had been safely tucked away in at least one of the world’s most secure data centres - wherever that might be.”

Search Publication Archives

Our publication archives contain all of our articles.
Can’t find what you are looking for?
Try an Advanced Search

Log in to digital health legal
Subscribe to digital health legal
Register for a Free Trial to digital health legal
digital health legal Pricing

Social Media

Follow digital health legal on TwitterView digital health legal LinkedIn Profiledigital health legal RSS Feed