NHS bodies and Department of Health and Social Care issue guidance clarifying that numerous offshore locations are considered a safe home for health and social services data
The government has stated that NHS and social services data “can be safely hosted” in the US and a number of other locations across Europe and beyond.
The Department of Health and Social Care, alongside NHS England, NHS Improvement, and NHS Digital, has issued a document laying out the government’s position on offshore hosting and the use of public cloud for NHS and social-care bodies.
“The NHS and social-care providers may use cloud computing services for NHS data,” says the document. “Data must only be hosted within the European Economic Area (EEA), a country deemed adequate by the European Commission, or in the US, where covered by Privacy Shield.”
The Privacy Shield arrangement, agreed between the US and EU in 2016, is a scheme under which US data processors can self-certify that they will abide by EU and local data-protection legislation when handling the data of EU citizens. Those that fail to do so are liable to face investigative and potentially punitive measures. A total of 2,644 firms are currently certified to process either HR or non-HR data – or both.
If any NHS or social care institutions wish to use US data-hosting facilities not covered by Privacy Shield, they are advised to consult an expert before doing so.
“If the organisation you plan to host data with is not part of the Privacy Shield scheme, you will not be protected by the agreement,” the government said. “You should seek legal advice if you plan to host personal confidential data with a US provider that is not part of the Privacy Shield.”
Related content
- EU data protection agencies remain apprehensive about Privacy Shield
- ‘It’s not a choice between privacy or innovation’, ICO tells NHS trusts
- Peers: Government needs a credible NHS innovation strategy – and should penalise those that don’t engage
The introduction of Privacy Shield came following the demise of the preceding Safe Harbour arrangement, which was invalidated by the European Court of Justice in October 2015. This decision followed a two-year legal battle led by Austrian student Max Schrems, whose campaign came in light of Edward Snowden’s revelations of surveillance conducted by US intelligence agencies.
In addition to the US, NHS bodies can also host data in all the countries that form the EEA, which includes Iceland, Liechtenstein, and Norway, plus 27 of the 28 EU member states, with Croatia – the most recent addition to the European Union, having joined in 2013 – currently having a provisional EEA membership, which is subject to ratification by the other member countries.
According to the newly published government guidance, NHS and social care data can also be stored in various non-EEA countries and locations that the European Commission has ruled have “adequate” measures for protecting European personal data. This includes Andorra, Switzerland, the Faroe Islands, Guernsey, Jersey, the Isle of Man, Israel, Argentina, Uruguay, and New Zealand.
US data-hosting firms covered by Privacy Shield are also regarded as adequate, as are Canadian facilities – but only for hosting data for the private sector, and not for government or other public-sector entities across Europe.
Japan and South Korea are both currently in talks with the EC about obtaining adequacy status.
Benefits of cloud
Elsewhere in the guidance paper, the government sets out a range of benefits it believes embracing cloud services could have for NHS bodies.
“Cloud providers have a significant budget to pay for updating, maintaining, patching and securing their infrastructure,” it said. “This means cloud services can mitigate many common risks NHS and social-care organisations often face. Cloud services may provide other advantages for NHS and social care organisations, including lower IT costs, and the ability to develop, test and deploy services quickly, without large capital expense.”
The government added: “As more services for patients and staff move to the internet, and the need for better data interoperability increases, it is likely that use of cloud services will become more prevalent in NHS and social-care organisations.”
NHS and social-care bodies are advised to follow a process involving four key steps to make sure they “select and implement a solution that is appropriate for the risk level of the specific data set or system your organisation has decided to move to the cloud”.
The first of these is to “understand the data” they are moving, and the second is to “assess the risks” involved in the process. The third step NHS organisations should take is to “implement controls” regarding data-protection regulation as it pertains to the geographic location of the data-processor’s hosting facilities and head office. The final step advised by the government is to carefully “monitor the implementation” of the move deployment of cloud services.
Suzy Foster, director of health and life science for Microsoft UK, welcomed the government’s new stance on offshore data.
“[This] guidance is an important milestone for the NHS,” she said. “By moving to the cloud, the NHS can begin to innovate and modernize health services in England to truly meet the needs of patients in a sustainable and cost-effective way.”
Thanks for your help and for writing this post. It’s been great.
It’s perfect time to make a few plans for the longer term and it’s time to be happy. I have read this post and if I may just I desire to counsel you some attention-grabbing issues or tips. Maybe you could write next articles relating to this article. I desire to read even more things approximately it!
Does your site have a contact page? I’m having trouble locating it but, I’d like to shoot you an e-mail. I’ve got some ideas for your blog you might be interested in hearing. Either way, great blog and I look forward to seeing it expand over time.
You can definitely see your skills in the work you write. The world hopes for more passionate writers like you who aren’t afraid to say how they believe. Always go after your heart.
Good day! Would you mind if I share your blog with my myspace group? There’s a lot of people that I think would really appreciate your content. Please let me know. Thanks
Hey would you mind letting me know which webhost you’re using? I’ve loaded your blog in 3 different web browsers and I must say this blog loads a lot faster then most. Can you recommend a good internet hosting provider at a fair price? Many thanks, I appreciate it!
Hey would you mind sharing which blog platform you’re working with? I’m planning to start my own blog soon but I’m having a tough time deciding between BlogEngine/Wordpress/B2evolution and Drupal. The reason I ask is because your layout seems different then most blogs and I’m looking for something completely unique. P.S Apologies for being off-topic but I had to ask!
Thanks for the ideas shared on your own blog. Something also important I would like to say is that weight loss is not information about going on a dietary fad and trying to get rid of as much weight as you’re able in a couple of weeks. The most effective way to burn fat is by acquiring it bit by bit and right after some basic recommendations which can make it easier to make the most from the attempt to drop some weight. You may know and be following these tips, however reinforcing awareness never damages.
I love your blog.. very nice colors & theme. Did you create this website yourself or did you hire someone to do it for you? Plz answer back as I’m looking to create my own blog and would like to know where u got this from. thanks
Very good written post. It will be supportive to anybody who utilizes it, including me. Keep doing what you are doing – looking forward to more posts.
Thank you for breaking down complex concepts so clearly. I can’t wait to implement some of these ideas. Great read! Looking forward to more posts like this. I appreciate the detailed information shared here. Thank you for breaking down complex concepts so clearly. Fantastic job covering this topic in such depth!