Policy on public sector use of US cloud under review as uncertainty grows over post-Brexit data transfers

Written by Sam Trendall on 21 September 2020 in News

GDS and NHS Digital asked to review policies after collapse of Privacy Shield agreement and ongoing lack of data adequacy status with EU

Credit: Dennis Hill/CC BY 2.0

The Government Digital Service is reviewing Whitehall’s strategies in regard to the use of cloud and conducting data transfers across borders.

These examinations come in light of the European Court of Justice verdict in the so-called ‘Schrems II’ case, in which the court invalidated the Privacy Shield agreement that has, since 2016, ensured the lawfulness of transfer of personal data between the EU and the US. 

Under Privacy Shield, US data processors – including the major social networks and public-cloud providers – can self-certify their compliance with the relevant European data-protection laws. The agreement also commits tech firms to certain obligations, including increased oversight and remedial measures. 

On top of the removal of the protections of Privacy Shield, the UK has also yet to be granted so-called data-adequacy status by the EU. This is needed to ensure that, after Brexit, data can continue to be lawfully transferred between the UK and the remaining 27 member states. 

Related content

In light of this uncertain future, GDS is reviewing government strategy on the use of overseas-based cloud hosting firms, and on the transfer of data across borders. 

Lord Agnew, the minister responsible for overseeing the work of the digital agency, said: “GDS is currently reviewing cross government cloud policy and guidance, including the Cloud First policy. This includes reviewing the cloud hosting market and associated regulatory environment.”

He added: “GDS is currently undertaking a risk assessment of all of its services and products – including GOV.UK – in relation to cross-border data flows. The new ECJ judgment [on Privacy Shield] will be considered as part of this assessment. 

“The assessment will identify relevant data flows and make sure appropriate mitigation is implemented if necessary, following updates and guidance from the Information Commissioner's Office and the European Data Protection Board. GDS has engaged with other government departments via data advisory groups and data protection networks to ensure consistent mitigation.

“Ultimately, however, it is a decision for individual government organisations where and how to store their data, provided it is done in a secure way and offers good value for money.”

The government has previously indicated that, following the invalidation of Privacy Shield, it is working with the ICO to provide updated guidance for businesses and public sector bodies as soon as possible.

In 2018, the DHSC and all national NHS bodies jointly announced that, following the implementation of Privacy Shield, public sector bodies should feel free to host health and social care data in the US.

Lord Bethell, minister for innovation in the Department of Health and Social Care, said that NHS Digital is now also reviewing its guidance for the use of cloud services by health-service organisations. 

“The cloud security suite of documents is currently being reviewed as part of NHS Digital’s regular management cycle and is due for re-issue before the end of the year,” Bethell said. “NHS Digital is currently awaiting updated guidance following the judgement by the European Court of Justice from the Information Commissioner's Office. Once received it will be incorporated into its guidance for the health and social care sector.”

Both Agnew and Bethell were answering written parliamentary questions from Liberal Democrat peer Lord Clement-Jones.

The ‘Schrems II’ case, as it is commonly referred to, is named after Austrian privacy activist Max Schrems, whose legal challenge led to the invalidation by the ECJ of Privacy Shield’s predecessor, the Safe Harbor arrangement.


About the author

Sam Trendall is editor of PublicTechnology

Share this page




Please login to post a comment or register for a free account.

Related Articles

Government must earn public trust that AI is being used safely and responsibly
5 January 2023

Leaders from two of government’s core digital and data units – the CDDO and CDEI – introduce new guidelines intended to promote transparency in the public sector’s use of algorithms

PublicTechnology’s biggest stories of the year
29 December 2022

A reminder of the shocks, scandals and success stories that shaped the world of government technology in 2022

National Archives head: ‘Organisational culture and cohesion is vital in the digital age’
20 December 2022

Jeff James reflects on delivering major digitisation work while working in lockdown conditions

Legislation finalising merger of NHS Digital aims to ‘ensure good practice continues’
23 January 2023

Duties are due to be formally transferred to NHS England in a week’s time