The new guidance issued by NHS Digital gives health bodies in England have greater freedom to use public cloud computing services.
EU data protection law puts restrictions on the transfer of personal data outside of the European Economic Area (EEA). One way in which organisations can transfer personal data outside of the trading bloc is where they do so to a country that benefits from a so-called 'adequacy decision' of the European Commission.
Countries that benefit from an adequacy decision are considered to have laws essentially equivalent to those that safeguard personal data inside the EEA. Where an adequacy decision has been issued, data transfers between the EU and those third countries are said to be automatically compliant with EU data protection laws. Canada, Switzerland and New Zealand are among the countries that benefit from a Commission adequacy decision.
The EU-US Privacy Shield is a further bespoke framework agreed between EU and US officials for ensuring adequate protection of personal data transferred from the EU to US-based organisations that sign up to the Privacy Shield's requirements.
"NHS and social care data can be safely hosted with certain organisations in the US," the guidance said. "Personal confidential data can be hosted with organisations that participate in the Privacy Shield scheme agreed between the EU and US. The European Commission has issued a formal decision that the Privacy Shield provides adequate protection to allow personal data to be transferred to the US."
"If you are planning to host data with an organisation in the US, you should verify whether they are part of this scheme on the Privacy Shield website, and whether the type of data you plan to transfer is covered by the organisation’s Privacy Shield commitments. If the organisation you plan to host data with is not part of the Privacy Shield scheme, you will not be protected by the agreement," it said.
In its guidance, though, NHS Digital said that NHS and social care providers can use "other mechanisms", such as model contract clauses or binding corporate rules, to host their data in the US with cloud providers that have not signed up to the Privacy Shield.
However, "NHS and social care organisations are not expected to host data outside of the UK, EEA, US or adequate countries as determined by the European Commission", it said.
According to the guidance, NHS and social care providers must conduct their own assessment of the risks posed from offshoring before outsourcing the storage of the data to the cloud, and put in place measures to mitigate them.
Existing tools, such as the health and social care cloud risk framework, the national data guardian's recommendations on data security in the health and care sectors, and UK's 'Cyber Essentials' guidance, will help inform such assessments, NHS Digital said.
"All decisions relating to the security of data are the responsibility of the local data controller within a healthcare organisation," the guidance said. "In accordance with recommendations made by the national data guardian, organisations should also have a SIRO (senior information risk owner) responsible for data and cyber security who should be included in making a risk-based decision."
"Well-executed use of cloud services is appropriate for most NHS and social care information and services. However, your organisation may have different needs, dependent on your data security requirements. These requirements will be defined by the availability, integrity and confidentiality criteria of your specific data or systems," it said.
NHS bodies should take into account the "potential downsides to cloud services" when assessing the risk of using such services, according to the guidance. Downsides might include an increased exposure to the risk of outages, a lack of internal capability for delivering and managing cloud services, and from increased "portability" of data, it said. Further factors, such as "cost, security, resilience, capability and funding" should also be considered, it said.
The specific security requirements that NHS bodies will need to have in place for ensuring adequate protection for their data in the cloud will be influenced by where cloud providers process or store the data, NHS Digital said.
"It is possible to have numerous jurisdictions apply to data held in cloud services, (particularly when the cloud provider is non UK, or has a non UK parent company)," the guidance said. "Whilst cloud providers should let you specify geographic region(s) to host or process data, you should clarify before contracting out. Furthermore, service providers sometimes use offshore technical and support staff, who are able to access data from another location. Many global service providers have a global support model that does not limit where staff can operate. You will want to understand whether this has any impact for your risk-based decision."
"To benefit from additional resilience it is highly recommended that for the data you deem to be of the highest risk you consider taking a multi-region approach; where, for example the data is stored both in and outside of the UK," it said.