This guidance sets out expectations for health and care organisations who want to use cloud services or data off-shoring to store patient information | NHS Digital
These documents from NHS Digital aim to ensure that organisations know how to use cloud services safely and securely, particularly in relation to the introduction of General Data Protection Regulation (GDPR). The standards will enable NHS organisations to benefit from the flexibility and cost savings associated with the use of cloud facilities.
- NHS and Social care providers may use cloud computing services for NHS data. Data must only be hosted within the UK – European Economic Area (EEA), a country deemed adequate by the European Commission, or in the US where covered by Privacy Shield.
- Senior Information Risk Owners (SIROs) locally should be satisfied about appropriate security arrangements (using National cyber security essentials as a guide) in conjunction with Data Protection Officers and Caldicott Guardians.
- Help and advice from the Information Commissioner’s Office is available and regularly updated.
- Changes to data protection legislation, including the General Data Protection Regulation (GDPR) from 25 May 2018, puts strict restrictions on the transfer of personal data, particularly when this transfer is outside the European Union. The ICO also regularly updates its GDPR Guidance.
- NHS Digital has provided some detailed guidance documents to support health and social care organisations.
The following documents provide more detailed guidance:
- Open the health and social care cloud security good practice guide.
- Open the health and social care cloud risk framework.
- Open the health and social care data risk model.
- Open the health and social care cloud security – one page overview.