Skip to main content
NHS and social care data: off-shoring and the use of public cloud services

National guidance has been published setting clear expectations for health and care organisations who want to use cloud services or data offshoring to store patient information.

This NHS and social care data: off-shoring and the use of public cloud services guidance has been written jointly by NHS Digital, NHS England, the Department of Health and Social Care and NHS Improvement.

This guidance explains the safeguards that must be put in place so health and social care organisations can safely locate health and social care data, including confidential patient information in the public cloud including solutions that make use of data off-shoring.

The following documents have been created by NHS Digital to provide more detailed guidance:


Cloud security good practice guide

This document provides advice and guidance about the safeguards that should be put in place to enable health and social care organisations to safely locate health and care data, including patient information, in the public cloud.


Cloud risk framework

This guidance presents a framework for assessing and managing risk around the use of public cloud technologies in the health and social care sectors in England. This framework is intended to be treated as guidance and is recommended to be used by individual data controller organisations as they consider the use of public cloud facilities.


Health and social care data risk model

This risk model provides a consistent way of assessing and recording the details of any proposed use of cloud services, producing a risk class indication.


Health and social care cloud security one page overview

This guidance provides a one page overview to support you in your role as data controller, ensuring that all uses of public cloud are well-executed: known, safe, secure and effective.


In Brief

  • NHS and Social care providers may use cloud computing services for NHS data. Data must only be hosted within the UK - European Economic Area (EEA), a country deemed adequate by the European Commission, or in the US where covered by Privacy Shield.
  • Senior Information Risk Owners (SIROs) locally should be satisfied about appropriate security arrangements (using National cyber security essentials as a guide) in conjunction with Data Protection Officers and Caldicott Guardians.
  • Help and advice from the Information Commissioner's Office is available and regularly updated.
  • Changes to data protection legislation, including the General Data Protection Regulation (GDPR) from 25 May 2018, puts strict restrictions on the transfer of personal data, particularly when this transfer is outside the European Union. The ICO also regularly updates its GDPR Guidance.
  • NHS Digital has provided some detailed guidance documents to support health and social care organisations. 

Last edited: 14 October 2021 10:22 am