Public Services > Central Government

NHS Digital issues guidance to helps NHS trusts to use of public cloud services safely

Published 19 January 2018

Document sets out the legalities and best practice for data offshoring and cloud data storage and usage

NHS Digital has published guidance to set clear expectations for health and social care organisations who want to use cloud services or data offshoring to store patient information.

The guidance has been published to ensure that organisations better know how to tackle offshoring and the use of public cloud services safely and securely. The advice has been published to reflect the impact of tighter restrictions on the processing and transfer of personal data are being brought in through the launch of the General Data Protection Regulation (GDPR) in May.

The guidance provides a detailed explanation of the benefits and risks of public cloud services to help organisations comply with expected standards when choosing to adopt these technologies. It also sets out the legalities and best practice as to how data should be stored and used.

The standards are intended to enable NHS organisations to benefit from the flexibility and cost savings associated with the use of cloud facilities.

The document highlights the benefits for organisations choosing to use cloud facilities. These include cost savings associated with not having to buy and maintain hardware and software, and comprehensive back-up and fast recovery of systems. 

The report argues that together these features cut the risk of health information not being available due to local hardware failure.

The guidance makes it clear that data must only be hosted within the UK, the European Economic Area, in countries deemed adequate by the EU, or in the US where it is covered by the Privacy Shield. 

Under a section on monitoring the implementation, the advice makes clear that while any cloud provider will have data protection responsibilities as a data processor, the NHS organisation will retain data controller responsibilities and must be assured at all times that the selected cloud implementation is fit for purpose. It warns that the organisation’s security requirements will change over time, so regular review points are recommended. 

It also point out that in accordance with the recommendations made by the National Data Guardian, the organisation should have a senior information risk officer (SIRO) responsible for data and cyber security. Trusts should ensure that the SIRO has access to the evidence provided by a cloud provider that it is compliant with the recognised standards, which could include third party verification of this, and any additional security controls requested. NHS Digital suggested that both the evidence and the implementation itself should be reviewed regularly to ensure that any necessary changes to a trust’s cloud solution are made in a timely fashion.

Rob Shaw, deputy chief executive at NHS Digital, said, “It is for individual organisations to decide if they wish to use cloud and data offshoring but there are a huge range of benefits in doing so, such as greater data security protection and reduced running costs when implemented effectively.”

Shaw added, “The guidance being published today will give greater clarity about how these technologies can be used and how data, including confidential patient information, can be securely managed.”

NHS Digital has worked in partnership with the Department of Health, NHS England and NHS Improvement to create the national guidance. 

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.