- The guidance is timely given the coming into force of the GDPR in May, which will impose tighter restrictions on processing and transfers of personal data, including use of cloud computing.
- The guidance is designed to assist NHS and social care organisations to comply with GDPR whilst benefitting from the flexibility and cost savings associated with the adoption of cloud solutions.
- Cloud providers selling to these organisations will also need to ensure that their solutions comply with applicable parts of the guidance.
The UK government has had a “cloud first” policy for public sector IT since 2013. However, concerns about the risk involved when moving to cloud-services, particularly when sensitive personal data is involved, as well as the new personal data protection regime being brought in under the EU General Data Protection Regulation 2016/679 (GDPR), may have meant that the adoption by health and care organisations has been slower than hoped for. Accordingly, NHS Digital recently published new national guidance (guidance) setting clear expectations for organisations who want to use cloud services or data offshoring in order to store patient information.
The Benefits of Cloud Computing
The guidance suggests that it is public cloud services (i.e., cloud infrastructure provisioned for open use by the general public), compared with other types of cloud service such as community, hybrid or private cloud, which offers the largest potential benefits for the public sector. Those benefits include:
- the cost savings associated with not having to operate the infrastructure, including buying, maintaining, updating and securing the associated networks, hardware and software;
- the ability to quickly develop, test and deploy new services whilst avoiding a large capital expense; and
- access to comprehensive back-up and fast recovery of systems coupled with a reduced risk that health information is unavailable due to local hardware failure.
It is for individual organisations to decide if they wish to use cloud and data offshoring but there are a huge range of benefits in doing so, such as greater data security protection and reduced running costs when implemented effectively. [This] guidance … will give greater clarity about how these technologies can be used and how data, including confidential patient information, can be securely managed.
—Rob Shaw, Deputy Chief Executive at NHS Digital
NHS Organisations’ Senior Information Risk Owners (SIROs) will need to satisfy themselves that appropriate security arrangements are in place, using National cybersecurity essentials as a guide. This should be done in conjunction with Data Protection Officers (who will need to undertake data protection impact assessments in line with the GDPR) and Caldicott Guardians (the senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing in each NHS organisation).
Migrating to the Cloud
The guidance reaffirms that decisions relating to data security are the responsibility of the local data controller within each organisation. Organisations should also have a SIRO responsible for data and cybersecurity. The SIRO should be included in making a risk-based decision regarding the use of cloud services. The decision-making process must include a review of the organisation’s data security requirements, defined by reference to the availability, integrity and confidentiality of the specific data or systems. Risks to be considered when adopting cloud services include:
- the increase in the importance of internet access across the organisation;
- a change to the way that the organisation budgets for technology (i.e., moving from a capital to a revenue model);
- the need for appropriate skilled resource internally in order to manage the cloud services;
- legacy systems which may not have been designed to run in, or by compatible with, the cloud; and
- the increased portability of data, since the cloud enables data to be accessed across multiple devices, both inside and outside an organisation’s boundaries.
Other relevant factors to be considered include cost, security, resilience, capability and funding. Specialist advice should be taken where appropriate.
The Four Steps
When selecting and implementing cloud services, which must be appropriate for the risk level of the specific data set or system, organisations should follow the following four steps:
Step 1: Understand the data.
Data managed by organisations is treated as OFFICIAL in line with the Government Security Classification Policy; however not all information is the same, and security measures should be risk appropriate and proportionate based on the system’s service level, the type, and quantity, of data and the period for which the data is to be retained.
Step 2: Assess the risks.
An appropriate risk model should be adopted such as the guidance published by the National Cyber Security Centre or the NHS’s Digital Health and Social Care data risk framework. Organisations will be data controllers under the GDPR (as well as current EU privacy laws) and accordingly need to consider things such as privacy by design (Article 25, GDPR) as well as data protection impact assessments (Article 35, GDPR) in the context of cloud services. There may be some situations where cloud services are deemed inappropriate for specific systems or data.
Step 3: Implement controls (data protection and location).
Data needs to be assessed on a case-by-case basis, rather than a one-size-fits-all approach. As data controller, the organisation is responsible for ensuring that proportionate controls are in place to mitigate all risks, as informed by relevant legislation (such as the GDPR, as well as—until replaced by the new Data Protection Bill currently making its way through parliament—the UK’s Data Protection Act) and government policy such as the Government Security Classification Policy and, from April, the Data Security and Protection Toolkit.
Step 4: Monitor the implementation.
Although cloud providers will have data protection responsibilities under GDPR as a data processor, organisations will retain data controller responsibilities and, as a consequence, must be assured at all times that the selected cloud implementation is fit for purpose. The SIRO should have access to the evidence provided by the cloud provider that they are compliant with the recognised standards (e.g., third party verification) and with additional security controls required by the organisation. Regular reviews should be undertaken so that necessary changes to cloud solutions can be made in a timely fashion.
Location of Data
The guidance makes it clear that data must only be hosted within the UK, the European Economic Area, in countries deemed adequate by the EU, or in the U.S. if the cloud provider is covered by the Privacy Shield. Reliance on the Privacy Shield, as well as the EU’s model contract clauses, for data export needs to be kept under review, however, given on-going legal challenges in the European courts.
Legal Advice Needed
For organisations, there are complex legal issues to consider. They must ensure that their cloud computing contracts take applicable legal and policy requirements into account, with specific clauses relating to topics such as data availability, resilience and recovery, as well as location, audit rights and access. For example, Article 28(3) of the GDPR sets out language that must appear in such contracts.
NHS organisations which may have shied away from adopting cloud solutions, when faced with myriad legal and other challenges, are advised to carefully consider the guidelines and take a fresh look at the market for cloud services. Cloud providers will no doubt see new opportunity to market their solutions to organisations and as such will also need to be cognisant with the guidelines.