Skip to main content

Health and social care Cloud Risk Framework

Version: 1.0

Created: 7 October 2021

Current Chapter

Health and social care Cloud Risk Framework

Page contents

This material is general guidance only. Recipients are responsible for exercising their own professional judgement in any use of the material. Whilst efforts were taken to ensure that the information contained in this document was both clear and accurate at the time of publication, NHS Digital cannot guarantee that this information will be suitable for the recipient's own hosting and infrastructure requirements, or their procurement/commercial/legal context. Accordingly, NHS Digital accepts no responsibility for any losses or damages arising from the use of this material.


The purpose of this document is to present a framework for assessing and managing risk around the use of public cloud technologies in the Health and Social Care sectors in England. This framework is intended to be treated as guidance and is recommended to be used by individual Data Controller organisations as they consider the use of public cloud facilities.

There are a wide variety of potential processing activities that may be successfully undertaken with the use of public cloud services, ranging from the use of public cloud to host reports that are intended for public distribution, to data analytics environments containing anonymised data across a region, to national-scale point-of-care clinical systems processing significant quantities of sensitive personal data to support direct care. The use of public cloud to support these scenarios – and indeed the use of any hosting facilities, public or private – can never be risk-free, and the degree of risk varies across these use cases.

Whilst any risk associated with the use of public cloud facilities remains with the Data Controller, this document provides a risk framework that enables a consistent assessment of those risks. This helps organisations to understand where their use of public cloud facilities aligns with their risk appetite.

This document is in five parts:

  1. The first part details the scope of this paper.
  2. The second part provides background and context around the need for this guidance.
  3. The third part provides an overview of risk classes that should be considered as part of each organisation’s risk management process.
  4. The fourth part describes three separate dimensions of data use that need to be considered: the type of data being processed, the scale of the data, and its persistency. The overall risk depends on the degree to which each of these dimensions is applicable to any specific proposed use of public cloud facilities.
  5. The fifth part provides a model for assessing and managing risk.


This document is specifically intended to address the processing of electronic assets that support information systems, including:

  • data relating to individuals’ contact with the health and social care system
  • data processed across the health and social care sector (including, but not limited to, activities and processes carried out by NHS Digital itself)

Whilst not the primary target of this document, the risk-management principles are also relevant to:

  • board, commercial, financial, contractual and legal material generated or processed by NHS Digital or other health organisations
  • human resources: personal data relating to members of staff

Last edited: 14 October 2021 11:19 am