Policy on public sector use of US cloud under review as uncertainty grows over post-Brexit data transfers

Written by Sam Trendall on 21 September 2020 in News

GDS and NHS Digital asked to review policies after collapse of Privacy Shield agreement and ongoing lack of data adequacy status with EU

Credit: Dennis Hill/CC BY 2.0

The Government Digital Service is reviewing Whitehall’s strategies in regard to the use of cloud and conducting data transfers across borders.

These examinations come in light of the European Court of Justice verdict in the so-called ‘Schrems II’ case, in which the court invalidated the Privacy Shield agreement that has, since 2016, ensured the lawfulness of transfer of personal data between the EU and the US. 

Under Privacy Shield, US data processors – including the major social networks and public-cloud providers – can self-certify their compliance with the relevant European data-protection laws. The agreement also commits tech firms to certain obligations, including increased oversight and remedial measures. 

On top of the removal of the protections of Privacy Shield, the UK has also yet to be granted so-called data-adequacy status by the EU. This is needed to ensure that, after Brexit, data can continue to be lawfully transferred between the UK and the remaining 27 member states. 

Related content

In light of this uncertain future, GDS is reviewing government strategy on the use of overseas-based cloud hosting firms, and on the transfer of data across borders. 

Lord Agnew, the minister responsible for overseeing the work of the digital agency, said: “GDS is currently reviewing cross government cloud policy and guidance, including the Cloud First policy. This includes reviewing the cloud hosting market and associated regulatory environment.”

He added: “GDS is currently undertaking a risk assessment of all of its services and products – including GOV.UK – in relation to cross-border data flows. The new ECJ judgment [on Privacy Shield] will be considered as part of this assessment. 

“The assessment will identify relevant data flows and make sure appropriate mitigation is implemented if necessary, following updates and guidance from the Information Commissioner's Office and the European Data Protection Board. GDS has engaged with other government departments via data advisory groups and data protection networks to ensure consistent mitigation.

“Ultimately, however, it is a decision for individual government organisations where and how to store their data, provided it is done in a secure way and offers good value for money.”

The government has previously indicated that, following the invalidation of Privacy Shield, it is working with the ICO to provide updated guidance for businesses and public sector bodies as soon as possible.

In 2018, the DHSC and all national NHS bodies jointly announced that, following the implementation of Privacy Shield, public sector bodies should feel free to host health and social care data in the US.

Lord Bethell, minister for innovation in the Department of Health and Social Care, said that NHS Digital is now also reviewing its guidance for the use of cloud services by health-service organisations. 

“The cloud security suite of documents is currently being reviewed as part of NHS Digital’s regular management cycle and is due for re-issue before the end of the year,” Bethell said. “NHS Digital is currently awaiting updated guidance following the judgement by the European Court of Justice from the Information Commissioner's Office. Once received it will be incorporated into its guidance for the health and social care sector.”

Both Agnew and Bethell were answering written parliamentary questions from Liberal Democrat peer Lord Clement-Jones.

The ‘Schrems II’ case, as it is commonly referred to, is named after Austrian privacy activist Max Schrems, whose legal challenge led to the invalidation by the ECJ of Privacy Shield’s predecessor, the Safe Harbor arrangement.


About the author

Sam Trendall is editor of PublicTechnology

Share this page




Please login to post a comment or register for a free account.

Related Articles

MPs urge government to clarify future of proposed £800m R&D unit
17 February 2021

Dominic Cummings-supported plans for a high-risk science and tech research agency appear to have stalled

Report calls for ‘more power’ in Whitehall to be centralised
26 January 2021

UK’s top two civil servants should be handed more responsibility as part of drive to make Cabinet Office more effective, says IfG

How digital services kept the DVLA on the road during 2020
6 January 2021

Chief executive Julie Lennard on the role of tech in responding to the pandemic, and how people’s expectations of online tools have changed

Related Sponsored Articles

How Your Privacy Program is a Competitive Differentiator
29 January 2021

OneTrust presents the reasons why your organisation should invest in privacy management - and offers three easy tips for getting started 

Email security incidents happen every 12 hours – it’s time to close the gap in Microsoft 365
21 January 2021

The remote-first world has seen email being relied on more than ever as a core communication mechanism - but with 93% of IT leaders acknowledging a risk to sensitive data, what steps should be...

How digital is helping Defence Medical Services re-imagine HM Armed Forces healthcare
3 February 2021

Defence Medical Services (DMS) is pursuing ground-breaking digital, data and technology transformation which will revolutionise Tri-Service healthcare provision to over 135,000 Armed...

Are You Ready for the Future of Cyber Security?
15 January 2021

2020 was a cyber security wake up call for many organisations. Attempting to provide secure remote access and device flexibility quickly exposed the flaws in legacy systems and processes. As we...