The government has stated that NHS and social services data “can be safely hosted” in the US and a number of other locations across Europe and beyond.

The Department of Health and Social Care, alongside NHS England, NHS Improvement, and NHS Digital, has issued a document laying out the government’s position on offshore hosting and the use of public cloud for NHS and social-care bodies.

“The NHS and social-care providers may use cloud computing services for NHS data,” says the document. “Data must only be hosted within the European Economic Area (EEA), a country deemed adequate by the European Commission, or in the US, where covered by Privacy Shield.”

The Privacy Shield arrangement, agreed between the US and EU in 2016, is a scheme under which US data processors can self-certify that they will abide by EU and local data-protection legislation when handling the data of EU citizens. Those that fail to do so are liable to face investigative and potentially punitive measures. A total of 2,644 firms are currently certified to process either HR or non-HR data – or both.

If any NHS or social care institutions wish to use US data-hosting facilities not covered by Privacy Shield, they are advised to consult an expert before doing so.

"If the organisation you plan to host data with is not part of the Privacy Shield scheme, you will not be protected by the agreement,” the government said. “You should seek legal advice if you plan to host personal confidential data with a US provider that is not part of the Privacy Shield.”

Related content

The introduction of Privacy Shield came following the demise of the preceding Safe Harbour arrangement, which was invalidated by the European Court of Justice in October 2015. This decision followed a two-year legal battle led by Austrian student Max Schrems, whose campaign came in light of Edward Snowden’s revelations of surveillance conducted by US intelligence agencies.

In addition to the US, NHS bodies can also host data in all the countries that form the EEA, which includes Iceland, Liechtenstein, and Norway, plus 27 of the 28 EU member states, with Croatia – the most recent addition to the European Union, having joined in 2013 – currently having a provisional EEA membership, which is subject to ratification by the other member countries.

According to the newly published government guidance, NHS and social care data can also be stored in various non-EEA countries and locations that the European Commission has ruled have “adequate” measures for protecting European personal data. This includes Andorra, Switzerland, the Faroe Islands, Guernsey, Jersey, the Isle of Man, Israel, Argentina, Uruguay, and New Zealand.

US data-hosting firms covered by Privacy Shield are also regarded as adequate, as are Canadian facilities – but only for hosting data for the private sector, and not for government or other public-sector entities across Europe.

Japan and South Korea are both currently in talks with the EC about obtaining adequacy status.

Benefits of cloud

Elsewhere in the guidance paper, the government sets out a range of benefits it believes embracing cloud services could have for NHS bodies.

“Cloud providers have a significant budget to pay for updating, maintaining, patching and securing their infrastructure,” it said. “This means cloud services can mitigate many common risks NHS and social-care organisations often face. Cloud services may provide other advantages for NHS and social care organisations, including lower IT costs, and the ability to develop, test and deploy services quickly, without large capital expense.”

The government added: “As more services for patients and staff move to the internet, and the need for better data interoperability increases, it is likely that use of cloud services will become more prevalent in NHS and social-care organisations.”

NHS and social-care bodies are advised to follow a process involving four key steps to make sure they "select and implement a solution that is appropriate for the risk level of the specific data set or system your organisation has decided to move to the cloud”.

The first of these is to “understand the data” they are moving, and the second is to “assess the risks” involved in the process. The third step NHS organisations should take is to “implement controls” regarding data-protection regulation as it pertains to the geographic location of the data-processor’s hosting facilities and head office. The final step advised by the government is to carefully “monitor the implementation” of the move deployment of cloud services.

Suzy Foster, director of health and life science for Microsoft UK, welcomed the government’s new stance on offshore data.

“[This] guidance is an important milestone for the NHS,” she said. “By moving to the cloud, the NHS can begin to innovate and modernize health services in England to truly meet the needs of patients in a sustainable and cost-effective way.”