NHS Digital Guidance on Data Offshoring and Cloud Computing

UKCloud Health welcomes the published guidance from NHS Digital, NHS England and the Department for Health and Social Care as it encourages health and care organisations to harness the potential of cloud, whilst also highlighting the key challenges of adopting the global public cloud platforms that our government-grade multi-cloud platform is specifically designed to address.

It provides reinforcement of the business and technical benefits of cloud services to the health and care community.

It also provides a timely reminder to health and care organisations that it is their responsibility to consider the technical, privacy, commercial and legal implications and to ensure that appropriate safeguards are implemented.

This is especially relevant in light of the tighter restrictions on the processing and transfer of personal data which are being introduced when the EU General Data Protection Regulation (GDPR) comes into force in May.

UKCloud Health urges all health and care organisations to use this guidance to accelerate their review of how cloud services can help them to control IT costs whilst also providing a safe platform for innovation.

As a specialist provider for health and care organisations UKCloud Health has developed a government-grade cloud platform which specifically mitigates the risks associated with generic public clouds as outlined in the published guidance:

  • Our multi-cloud platform brings together the most popular cloud technologies enabling our customers to harness the cloud even for applications that were not originally designed to run in the cloud
  • As well as open-source cloud native platforms that appeal to the new breed of DevOps and WebOps, we also provide enterprise cloud platforms that leverage familiar technologies from Microsoft, Oracle and VMware.  This enables health and care organisations to use their existing skills and capabilities whist modernising and embracing cloud native solutions at their own pace
  • Our platforms are exclusively hosted across two government-grade sites within the UK – using the same datacentres as Crown Hosting. We provide native connectivity to N3/HSCN as an alternative to our scalable and DDoS resilient Internet connections. This removes the risks of accidental distribution to non-EEA regions or to unauthorised users such as cyber activists
  • As a Crown Commercial Services approved supplier, our terms and conditions are aligned to government standard terms and conditions and our cloud services are therefore compliant and provide legal certainty from the outset. We provide you with the flexibility of genuine pay-as-you-go pricing (with no hidden costs such as data egress) as well as options that provide you with predictability of budgeting and spend.

Further, cloud is more than just hosting.  The trend is towards outcome based services such as software-as-a-service and UKCloud Health is at the centre of more than 250 partners that are focused on developing specific applications for the health and care community.

How UKCloud Health supports every step of the published guidance

At UKCloud Health we’re ready to help health and care organisation understand how to implement the necessary safeguards to ensure the safe and appropriate use of our cloud platform, and realise the exciting potential this technology can deliver. We offer expert advice for each of the four steps outlined in the published guidance:

  1. We will use our experience of supporting hundreds of public sector cloud programmes to help you understand the different types of data and information that you store and process.
  2. We help you understand how to appropriately risk assess your requirements in line with the NCSC Cloud Security principles and the forthcoming GDPR. We’ll help you determine what controls you should expect from the cloud provider and what controls you should plan to implement within the application.
  3. We provide detailed and comprehensive evidence of how we have implemented controls associated with the Cloud Security principles as well as evidence as to how we are ‘demonstrably compliant’ with regard to our role as a GDPR Data Processor.
  4. We commit to regularly update our evidence packs related to the independent verifications and testing that we commission on our cloud service. This enables you to regularly review our continued compliance with your risk management requirements.

Potential cloud solutions for health and care organisations

Examples of how health and care organisations can use services from UKCloud Health:

  • Use cloud as a backup in case your primary systems are hit by an IT outage such as Ransomware
  • Consider replacing your computer room or data centre with cloud hosting and avoid large capital expenditure and complex upgrades
  • Develop new systems and applications using cloud and avoid delays and upfront costs associated with traditional infrastructure
  • Move existing IT systems into the cloud so that you can avoid the costs of upgrades and expansion
  • Embrace software-as-a-service (SaaS) using UKCloud Health’s vibrant community of specialist software developers, so that you can focus on patient outcomes not IT systems

Causes for health and care organisations to be concerned

When considering cloud services, health and care customers should ask:

  • Privacy Shield is recommended as the principle mechanism to allow UK health data to be hosted in the US (section 2 and page 7 of the published guidance)
    • The ICO and Europe’s data protection regulators (currently known as the Article 29 Working Party) have documented “prioritised concerns about Privacy Shield and may initiate legal action against Privacy Shield if these concerns have not been addressed by the time GDPR comes into force.
    • The guidance makes it clear that responsibility rests with you to understand and mitigate the costs and legal complexity of subjecting UK health data to multiple non-EU jurisdictions
    • Why not use UK sovereign cloud services and avoid these potential costs and risks?
  • Given the heightened cybersecurity landscape, including activity such as Wannacry, should you solely rely on the Internet to connect to cloud services (section 12a) – or should you also use cloud services that are natively connected to N3/HSCN?
  • Do you have the skills and capabilities to make a wholesale shift to the DevOps centric global cloud platforms (section 12c)? Or would you prefer to leverage your existing skills and tools built around familiar technologies such as Oracle and VMware?
  • Global cloud providers may give themselves rights to export your customer (personal) data anywhere in the world, without notice, irrespective of your choice of processing region (for example: Amazon Web Services, G-Cloud 9 Terms & Conditions, Section 3.3). This is contrary to Article 28 Section 3(a) of GDPR.

Further questions or want to find out how the guidance could impact your organisation? Contact us today.