NHS Digital has issued new guidance that endorses placing health data in the public cloud, including off-shoring to US data centres, as long as the companies are covered by the Privacy Shield agreement.
In addition to US-based companies, NHS and social care organisations can also make use of public cloud hosting in the European Economic Area or within a country that is deemed “adequate” by the European Commission.
The guidance is a welcome move, given the benefits that can be achieved by shifting operations to the public cloud, but its likely that concerns will be raised about the suitability of the Privacy Shield agreement as a mechanism for protecting healthcare data in the US.
NHS Digital’s guidance states:
Provided that the upmost care is taken when collecting, transferring, storing and processing patient data, NHS and social care organisations are permitted to host data within the UK, EEA (countries deemed by the European Commission to have adequate protections for the rights of data subjects), or in the US where covered by Privacy Shield.
Senior Information Risk Owners (SIROs) locally should be satisfied about appropriate security arrangements (using National Cyber Security Essentials as a guide) in conjunction with Data Protection Officers and Caldicott Guardians.
There are no restrictions on where in the UK data may reside, for example data from the NHS in England data may be hosted in Scotland, and vice versa.
The NHS has long-struggled to modernise its IT estate, given that it’s a diverse and dispersed organisation, with much variation between Trusts and social care organisations, with no real central controls put in place.
Many will be aware that the government has made previous attempts to modernise technology within the NHS, most notably with the failed National Programme for IT (NPfIT).
NPfIT was a disaster. It cost the taxpayer over £13 billion and there has been very little to show for it.
The programme was pitched as a blanket upgrade to the NHS’ IT systems and as a chance for all organisations in the health service to standardise on a new platform. However, as time went on, it soon became clear that local inertia meant that many organisations resisted the standardisation.
Equally, the suppliers involved were perceived to be taking the NHS and government along for a ride, whilst the government’s contract negotiations and management were so appallingly bad that when things got rough it had no leg to stand on.
As a result, the NHS has instead focused on issuing standards and guidance to urge Trusts and organisations to modernise at their own pace, in their own way. The guidance issued on public cloud cites a number of benefits that include:
- Cloud providers have a significant budget to pay for updating, maintaining patching and securing their infrastructure. This means cloud services can mitigate many common risks NHS and social care organisations often face. This is particularly pertinent in the context of the recent WannaCry ransomeware attack.
- Cloud services may provide other advantages for NHS and social care organisations including lower IT costs and the ability to develop, test and deploy services quickly without large capital expense.
- As more services for patients and staff move to the Internet and the need for better data interoperability increases, it is likely that use of cloud services will become more prevalent in NHS and social care organisations.
Privacy Shield concerns
It’s likely that some will raise eyebrows at the NHS’ official endorsement of US-based companies hosting health data, as long as they are covered by the Privacy Shield agreement, given that a number of concerns have been raised about the framework.
Privacy shield was established after its predecessor Safe Harbour was found to be invalid and it governs transatlantic data flows between the EU and the US.
However, since it came into force a couple of years ago and has been labelled as “robust” by the European Commission and an “historic agreement” by US officials.
But since it was established, privacy and data protection experts have labelled it as inadequate and nothing more than ‘lipstick on a pig’.
In recent weeks, the Article 29 Working Party (WP29), which is an advisory body made up of a representative from the data protection authority of each EU member state, has said that it will commence a legal challenge against the Privacy Shield’s adequacy decision if its ‘significant concerns’ are not addressed.
The Working Party has said:
The WP29 has identified a number of important unresolved issues such as the lack of guidance and clear information on, for example, the principles of the Privacy Shield, on onward transfers and on the rights and available recourse and remedies for data subjects.
In addition, the WP29 calls for an increased oversight and supervision of compliance with the Principles of the Privacy Shield through namely, ex-officio investigations and continuous monitoring of certified companies. The US authorities are also requested to clearly distinguish the status of data processors from that of data controllers both at the time of their self-certification and at the time of further checks.
Moreover, further improvements should be made with regards to the interpretation and handling of HR data and the rules governing automated-decision making/profiling. Finally, the self-certification process for companies should be enhanced to ensure uninterrupted protection for data subjects and rapid compliance with the Privacy Shield principles. Additionally, the cooperation between U.S. authorities within the Privacy Shield mechanism should be adjusted.
In addition, regarding mass surveillance of data in the US, it goes on to add:
Despite these developments, some of the main points of concern for the WP29 in this area, have yet to be fully resolved.
More specifically, the collection and access of personal data for national security purposes under both section 702 of FISA and Executive Order 12333 still remains an important issue for the WP29. Indeed, the WP29 calls for further evidence or legally binding commitments to substantiate the assertions by the U.S. authorities that the collection of data under section 702 is not indiscriminate and access is not conducted on a generalized basis under the UPSTREAM program.
Overall, a good step for the NHS in terms of driving the adoption of modern digital technologies across the organisation. No longer can an NHS Trust say: “We aren’t allowed to put health data in the cloud”. It’s in black and white, the guidance is there. That being said, I am somewhat surprised the guidance so clearly endorses US companies, given the sensitivity of healthcare data and the concerns that remain around Privacy Shield.
Image credit - Image free for commercial use