NHS and social care data: off-shoring and the use of public cloud services

Summary

National guidance has been published setting clear expectations for health and care organisations who want to use cloud services or data offshoring to store patient information.

This NHS and social care data: off-shoring and the use of public cloud services has been written jointly by NHS Digital, NHS England, the Department of Health and Social Care and NHS Improvement.

 The following documents have been created by NHS Digital to provide more detailed guidance: 

In Brief

  • NHS and Social care providers may use cloud computing services for NHS data. Data must only be hosted within the UK - European Economic Area (EEA), a country deemed adequate by the European Commission, or in the US where covered by Privacy Shield.
  • Senior Information Risk Owners (SIROs) locally should be satisfied about appropriate security arrangements (using National cyber security essentials as a guide) in conjunction with Data Protection Officers and Caldicott Guardians.
  • Help and advice from the Information Commissioner's Office is available and regularly updated.
  • Changes to data protection legislation, including the General Data Protection Regulation (GDPR) from 25 May 2018, puts strict restrictions on the transfer of personal data, particularly when this transfer is outside the European Union. The ICO also regularly updates its GDPR Guidance.
  • NHS Digital has provided some detailed guidance documents to support health and social care organisations.