The U.K.'s National Health Service (NHS) has published guidance for health and social care organizations that plan to use public cloud services or data offshoring to cache patient data.
The guidance explains the overall benefits and risks of employing public cloud services as well as the legalities and best practices for storing and using personal data. It also emphasizes the need for tighter restrictions on securing confidential patient information.
In summary, the guidance highlights several key points:
- NHS and social care providers can only use cloud-computing services hosted within the European Economic Area (EEA), a country approved by the European Commission, or in the U.S. if covered by the Privacy Shield program.
- NHS organizations should have a senior information risk owner, data protection officers, and/or Caldicott guardians in charge of data and cyber security. Best practice security arrangements are available in the National Cyber Security Essentials.
- There are strict restrictions on transferring personal information, including the data protection legislation of the General Data Protection Regulation (GDPR), which will go into effect on 25 May 2018.
Furthermore, regularly updated advice from the Information Commissioner's Office is available.