Skip to main content

NHS and social care data: off-shoring and the use of public cloud services

National guidance has been published setting clear expectations for health and care organisations who want to use cloud services or data offshoring to store patient information.

Page contents

This NHS and social care data: off-shoring and the use of public cloud services guidance has been written jointly by NHS England,  the Department of Health and Social Care and NHS Improvement.

This guidance explains the safeguards that must be put in place so health and social care organisations can safely locate health and social care data, including confidential patient information in the public cloud including solutions that make use of data off-shoring.

In 2017 the EMT mandated the repatriation of all cloud services and data back to UK regions. If hosting outside of the UK is required, approval from the SIRO and EMT are required

The following principles apply for all services which NHS England considers the use of a Cloud Platform or co-location services in relation to data security where the class has been identified using the Cloud Risk Assessment; 

Where class 1 and 2 data are identified or where services hold no sensitive data, IAOs may use cloud computing services, IAAS or PAAS for NHS data with the following caveats and principles; 

  • Data must only be hosted within the UK. Use of European Economic Area (EEA), a country deemed adequate by the European Commission, or in the US where an International Data Transfer Agreement (IDTA) is in place, can only be relied upon if the risks of the transfer are sufficiently low and has SIRO and EMT approval.  It is necessary to conduct a UK GDPR Article 46 Risk Assessment to assess such risk. 
  • Development, test and User Acceptance Testing environments can use UK. EEA, a country deemed adequate by the European Commission or in the US where an International Data Transfer Agreement (IDTA) is in place which, can only be relied upon if the risks of the transfer are sufficiently low and has SIRO and EMT approval. It is necessary to conduct a UK GDPR Article 46 Risk Assessment to assess such risk for Cloud Services as long as Synthetic or Test data is utilised. 

As part of this governance NHS England’s risk appetite for data classified above “Class 2”, the following principles apply and can only be overruled by exception by the SIRO and the Executive Management Team. 

Where class 3, 4 or 5 data is identified, IAOs may use cloud computing services, IAAS or PAAS Services for NHS Data with the following caveats and principles; 

  • Provided that the upmost care is taken when collecting, transferring, storing and processing patient data, NHS and social care organisations are permitted to host data within the UK. EEA (countries deemed by the European Commission to have adequate protections for the rights of data subjects), or in the US where covered by an International Data Transfer Agreement (IDTA) is in place which, can only be relied upon if the risks of the transfer are sufficiently low and has SIRO and EMT approval. It is necessary to conduct a UK GDPR Article 46 Risk Assessment to assess such risk. 
In Brief
  • NHS and social care providers should use cloud computing services for hosting NHS data. Data must only be hosted within territories deemed to be GDPR adequate by the UK Government, as listed by the Information Commissioner's Office (ICO)  international data transfers guidance
  • Data transfers to non adequate territories should be considered in conjunction with the ICO’s International data transfer agreement and guidance.
  • Senior Information Risk Owners (SIROs) locally should be satisfied about appropriate security arrangements (using National cyber security essentials as a guide) in conjunction with Data Protection Officers and Caldicott Guardians.
  • Help and advice from the Information Commissioner's Office is available and regularly updated.
  • Changes to data protection legislation, including the General Data Protection Regulation (GDPR) from 25 May 2018, puts strict restrictions on the transfer of personal data, particularly when this transfer is outside the European Union. The ICO also regularly updates its GDPR Guidance.
  • NHS England has provided some detailed guidance documents to support health and social care organisations. 

The following documents have been created by NHS England to provide more detailed guidance:

Cloud security good practice guide

This document provides advice and guidance about the safeguards that should be put in place to enable health and social care organisations to safely locate health and care data, including patient information, in the public cloud.

 

Cloud risk framework

This guidance presents a framework for assessing and managing risk around the use of public cloud technologies in the health and social care sectors in England. This framework is intended to be treated as guidance and is recommended to be used by individual data controller organisations as they consider the use of public cloud facilities.

 

Health and social care data risk model

This risk model provides a consistent way of assessing and recording the details of any proposed use of cloud services, producing a risk class indication.

 

Health and social care cloud security one page overview

This guidance provides a one page overview to support you in your role as data controller, ensuring that all uses of public cloud are well-executed: known, safe, secure and effective.

 

Last edited: 3 July 2023 11:35 am