In 2017 the EMT mandated the repatriation of all cloud services and data back to UK regions. If hosting outside of the UK is required, approval from the SIRO and EMT are required
The following principles apply for all services which NHS England considers the use of a Cloud Platform or co-location services in relation to data security where the class has been identified using the Cloud Risk Assessment;
Where class 1 and 2 data are identified or where services hold no sensitive data, IAOs may use cloud computing services, IAAS or PAAS for NHS data with the following caveats and principles;
- Data must only be hosted within the UK. Use of European Economic Area (EEA), a country deemed adequate by the European Commission, or in the US where an International Data Transfer Agreement (IDTA) is in place, can only be relied upon if the risks of the transfer are sufficiently low and has SIRO and EMT approval. It is necessary to conduct a UK GDPR Article 46 Risk Assessment to assess such risk.
- Development, test and User Acceptance Testing environments can use UK. EEA, a country deemed adequate by the European Commission or in the US where an International Data Transfer Agreement (IDTA) is in place which, can only be relied upon if the risks of the transfer are sufficiently low and has SIRO and EMT approval. It is necessary to conduct a UK GDPR Article 46 Risk Assessment to assess such risk for Cloud Services as long as Synthetic or Test data is utilised.
As part of this governance NHS England’s risk appetite for data classified above “Class 2”, the following principles apply and can only be overruled by exception by the SIRO and the Executive Management Team.
Where class 3, 4 or 5 data is identified, IAOs may use cloud computing services, IAAS or PAAS Services for NHS Data with the following caveats and principles;
- Provided that the upmost care is taken when collecting, transferring, storing and processing patient data, NHS and social care organisations are permitted to host data within the UK. EEA (countries deemed by the European Commission to have adequate protections for the rights of data subjects), or in the US where covered by an International Data Transfer Agreement (IDTA) is in place which, can only be relied upon if the risks of the transfer are sufficiently low and has SIRO and EMT approval. It is necessary to conduct a UK GDPR Article 46 Risk Assessment to assess such risk.