Skip to main content

Part of Health and social care Cloud Risk Framework

Background and context

There is appetite across the health and social care system in England to use public cloud computing. These facilities have emerged rapidly in recent years and now provide a cost-effective and agile means of provisioning infrastructure. However, uptake has been restricted, in part due to the lack of guidance on the use of such services, particularly in relation to security.

There is existing cross-government guidance1 around the use of public cloud facilities. Whilst it provides an overall 'permission statement' for the use of public cloud, that guidance is not intended to provide specific approval for the health and social care sector, nor give specific guidance on how to safeguard data.

Individual organisations within the health and social care system hold Data Controller responsibilities and are therefore accountable for the systems they use and for the risk-based decisions that they must take. This document provides a framework that is specifically targeted to health and social care organisations to help them assess and manage the risk of using public cloud.

The framework provided in this document describes the kinds of risk that should be considered, the ways in which risk may be affected by different processing proposals and relates these to an individual organisation’s risk appetite. This appetite may, reasonably, vary over time.

The use of this framework is intended:

  • to provide more consistency in risk assessment
  • to help identify low risk scenarios which are suitable for initial adoption of public cloud - over time, we would expect to see greater use of public cloud as we accrue demonstrable experience of safe and acceptable use

Last edited: 8 January 2025 11:36 am