Skip to main content

Cloud security – good practice guide

Current Chapter

Cloud security – good practice guide


This material is general guidance only.

Recipients are responsible for exercising their own professional judgement in practice of the material. Whilst efforts were taken to ensure that the information contained in this document was both clear and accurate at the time of publication, NHS England cannot guarantee that this information will be suitable for the recipient's own hosting and infrastructure requirements, or their procurement/commercial/legal context.

Accordingly, NHS England accepts no responsibility for any losses or damages arising from the use of this material.


1. Introduction

The UK Government introduced a cloud first policy for public sector IT in 2013. The use of cloud services was also endorsed in the National Information Board’s Personalised Health and Care 2020 framework, published in November 2014. 

A paper jointly published by the Department of Health and Social Care, NHS England, NHS Digital and NHS Improvement on 19 January 2018 states that NHS and social care organisations can safely locate health and care data, including confidential patient information, in the public cloud including solutions that make use of data off-shoring. The paper provides advice and guidance about the safeguards that should be put in place to do so.

NHS England have built upon this advice and guidance to develop more detailed materials to enable a systematic approach to evaluate risk and applying proportionate controls. This document explains the process and provides details on what proportionate controls should be put in place.


Last edited: 8 January 2025 11:40 am