NHS and social care data: off-shoring and the use of public cloud services
National guidance has been published setting clear expectations for health and care organisations who want to use cloud services or data offshoring to store patient information.
This NHS and social care data: off-shoring and the use of public cloud services guidance has been written jointly by NHS England, the Department of Health and Social Care and NHS Improvement.
This guidance explains the safeguards that must be put in place so health and social care organisations can safely locate health and social care data, including confidential patient information in the public cloud including solutions that make use of data off-shoring.
In 2017 the EMT mandated the repatriation of all cloud services and data back to UK regions. If hosting outside of the UK is required, approval from the SIRO and EMT are required
The following principles apply for all services which NHS England considers the use of a Cloud Platform or co-location services in relation to data security where the class has been identified using the Cloud Risk Assessment;
Where class 1 and 2 data are identified or where services hold no sensitive data, IAOs may use cloud computing services, IAAS or PAAS for NHS data with the following caveats and principles;
- Data must only be hosted within the UK. Use of European Economic Area (EEA), a country deemed adequate by the European Commission, or in the US where an International Data Transfer Agreement (IDTA) is in place, can only be relied upon if the risks of the transfer are sufficiently low and has SIRO and EMT approval. It is necessary to conduct a UK GDPR Article 46 Risk Assessment to assess such risk.
- Development, test and User Acceptance Testing environments can use UK. EEA, a country deemed adequate by the European Commission or in the US where an International Data Transfer Agreement (IDTA) is in place which, can only be relied upon if the risks of the transfer are sufficiently low and has SIRO and EMT approval. It is necessary to conduct a UK GDPR Article 46 Risk Assessment to assess such risk for Cloud Services as long as Synthetic or Test data is utilised.
As part of this governance NHS England’s risk appetite for data classified above “Class 2”, the following principles apply and can only be overruled by exception by the SIRO and the Executive Management Team.
Where class 3, 4 or 5 data is identified, IAOs may use cloud computing services, IAAS or PAAS Services for NHS Data with the following caveats and principles;
- Provided that the upmost care is taken when collecting, transferring, storing and processing patient data, NHS and social care organisations are permitted to host data within the UK. EEA (countries deemed by the European Commission to have adequate protections for the rights of data subjects), or in the US where covered by an International Data Transfer Agreement (IDTA) is in place which, can only be relied upon if the risks of the transfer are sufficiently low and has SIRO and EMT approval. It is necessary to conduct a UK GDPR Article 46 Risk Assessment to assess such risk.
- NHS and social care providers should use cloud computing services for hosting NHS data. Data must only be hosted within territories deemed to be GDPR adequate by the UK Government, as listed by the Information Commissioner's Office (ICO) international data transfers guidance.
- Data transfers to non adequate territories should be considered in conjunction with the ICO’s International data transfer agreement and guidance.
- Senior Information Risk Owners (SIROs) locally should be satisfied about appropriate security arrangements (using National cyber security essentials as a guide) in conjunction with Data Protection Officers and Caldicott Guardians.
- Help and advice from the Information Commissioner's Office is available and regularly updated.
- Changes to data protection legislation, including the General Data Protection Regulation (GDPR) from 25 May 2018, puts strict restrictions on the transfer of personal data, particularly when this transfer is outside the European Union. The ICO also regularly updates its GDPR Guidance.
- NHS England has provided some detailed guidance documents to support health and social care organisations.
Last edited: 3 January 2025 3:01 pm