NHS Digital publishes guidance on maintaining data assurance in offshoring and cloud computing
Health and social care organisations have been advised to keep their data in countries that comply with EU regulations for its storage, and make use of National Cyber Security Essentials guidance in keeping it safe.
NHS Digital, the national information and technology partner of the health and care system, has highlighted these as central features of its newly published guidance on data offshoring – with an eye on the introduction of the General Data Protection Regulation (GDPR) in May.
It said the document should set clear expectations for health and care organisations that want to use cloud services or data offshoring to store patient information.
One of its prime recommendations is that care providers can use cloud services for NHS data, but that it should be hosted in the European Economic Area, a country deemed adequate by the European Commission, or the US where it is covered by the Privacy Shield agreement (the mechanism for organisations on both sides of the Atlantic to comply with data protection requirements).
Another is that senior information risk owners should use the Cyber Essentials guidance, published by the National Cyber Security Centre, in satisfying themselves that the appropriate security arrangements are in place. This should involve working with data protection officers and Caldicott guardians (NHS officials responsible for patient confidentiality).
In addition, they should be ready to seek advice from the Information Commissioner’s Office, and develop a full understanding of the GDPR.
NHS Digital said the guidance is aimed at ensuring NHS bodies know how to use the solutions safely and securely, especially in the light of the GDPR tightening restrictions on the processing and transfer of personal data.
The document also highlights the benefits for organisations choosing to use cloud facilities. These include cost savings associated with not having to buy and maintain hardware and software, and comprehensive back-up and fast recovery of systems. Together these features cut the risk of health information not being available due to local hardware failure.
Rob Shaw, deputy chief executive of NHS Digital, said: "It is for individual organisations to decide if they wish to use cloud and data offshoring but there are a huge range of benefits in doing so, such as greater data security protection and reduced running costs when implemented effectively.
"The guidance being published today will give greater clarity about how these technologies can be used and how data, including confidential patient information, can be securely managed."