NHS favors cloud storage and DPOs are expected to secure it

The NHS (National Health Service, the healthcare system for England) has issued guidance affirming that “NHS and social care organisations can safely locate health and care data, including confidential patient information, in the public cloud including solutions that make use of data off-shoring”. Quotes from (“NHS and social care data: off-shoring and the use of public cloud services” mirror)

According to them, cloud services are to be favored because they are better at:

• “updating, maintaining, patching and securing their infrastructure “, and have
• “lower IT costs and the ability to develop, test and deploy services quickly without large capital expense “

“You may need to recruit the right capability to deliver and manage cloud services if your organisation has no prior experience of running this type of service.”

Many Qualys customers that I’ve spoken to report that auditing Cloud infrastructure requires specialized skills. Finding people with these skills is hard, they observe. Hiring and keeping such rare staff is even harder.

“As an organisation, you retain Data Controller responsibility.”

The NHS Digital may be giving the NHS and social care organisations the green light for storing sensitive data in cloud, but they didn’t write a blank check. They also remind the organizations that they remain accountable – GDPR still applies!

Only 4 in 10 businesses (38%) in the United Kingdom have even heard of GDPR. Of those that were aware of the regulation, just over a quarter of businesses (27%) have made any changes to how they operate, directly as a response to the forthcoming changes to the data protection regulation. (“Cyber Security Breaches Survey 2018: Preparations for the new Data Protection Act” mirror)

Solving the problem of securely storing confidential patient information is left as an exercise for the DPO, in the event that there should even be one.