Policy on public sector use of US cloud under review as uncertainty grows over post-Brexit data transfers
GDS and NHS Digital asked to review policies after collapse of Privacy Shield agreement and ongoing lack of data adequacy status with EU
The Government Digital Service is reviewing Whitehall’s strategies in regard to the use of cloud and conducting data transfers across borders.
These examinations come in light of the European Court of Justice verdict in the so-called ‘Schrems II’ case, in which the court invalidated the Privacy Shield agreement that has, since 2016, ensured the lawfulness of transfer of personal data between the EU and the US.
Under Privacy Shield, US data processors – including the major social networks and public-cloud providers – can self-certify their compliance with the relevant European data-protection laws. The agreement also commits tech firms to certain obligations, including increased oversight and remedial measures.
On top of the removal of the protections of Privacy Shield, the UK has also yet to be granted so-called data-adequacy status by the EU. This is needed to ensure that, after Brexit, data can continue to be lawfully transferred between the UK and the remaining 27 member states.
In light of this uncertain future, GDS is reviewing government strategy on the use of overseas-based cloud hosting firms, and on the transfer of data across borders.
Lord Agnew, the minister responsible for overseeing the work of the digital agency, said: “GDS is currently reviewing cross government cloud policy and guidance, including the Cloud First policy. This includes reviewing the cloud hosting market and associated regulatory environment.”
He added: “GDS is currently undertaking a risk assessment of all of its services and products – including GOV.UK – in relation to cross-border data flows. The new ECJ judgment [on Privacy Shield] will be considered as part of this assessment.
“The assessment will identify relevant data flows and make sure appropriate mitigation is implemented if necessary, following updates and guidance from the Information Commissioner's Office and the European Data Protection Board. GDS has engaged with other government departments via data advisory groups and data protection networks to ensure consistent mitigation.
“Ultimately, however, it is a decision for individual government organisations where and how to store their data, provided it is done in a secure way and offers good value for money.”
The government has previously indicated that, following the invalidation of Privacy Shield, it is working with the ICO to provide updated guidance for businesses and public sector bodies as soon as possible.
In 2018, the DHSC and all national NHS bodies jointly announced that, following the implementation of Privacy Shield, public sector bodies should feel free to host health and social care data in the US.
Lord Bethell, minister for innovation in the Department of Health and Social Care, said that NHS Digital is now also reviewing its guidance for the use of cloud services by health-service organisations.
“The cloud security suite of documents is currently being reviewed as part of NHS Digital’s regular management cycle and is due for re-issue before the end of the year,” Bethell said. “NHS Digital is currently awaiting updated guidance following the judgement by the European Court of Justice from the Information Commissioner's Office. Once received it will be incorporated into its guidance for the health and social care sector.”
Both Agnew and Bethell were answering written parliamentary questions from Liberal Democrat peer Lord Clement-Jones.
The ‘Schrems II’ case, as it is commonly referred to, is named after Austrian privacy activist Max Schrems, whose legal challenge led to the invalidation by the ECJ of Privacy Shield’s predecessor, the Safe Harbor arrangement.
Dominic Cummings-supported plans for a high-risk science and tech research agency appear to have stalled
UK’s top two civil servants should be handed more responsibility as part of drive to make Cabinet Office more effective, says IfG
Public Accounts Committee points to need for more funding and legislative changes
Chief executive Julie Lennard on the role of tech in responding to the pandemic, and how people’s expectations of online tools have changed
OneTrust presents the reasons why your organisation should invest in privacy management - and offers three easy tips for getting started
The remote-first world has seen email being relied on more than ever as a core communication mechanism - but with 93% of IT leaders acknowledging a risk to sensitive data, what steps should be...
Defence Medical Services (DMS) is pursuing ground-breaking digital, data and technology transformation which will revolutionise Tri-Service healthcare provision to over 135,000 Armed...
2020 was a cyber security wake up call for many organisations. Attempting to provide secure remote access and device flexibility quickly exposed the flaws in legacy systems and processes. As we...