Storing information using a data cloud

Storing patient information in a cloud can be useful – but it's worth making sure you've considered data security and confidentiality issues.

What is a data cloud?

Cloud computing services allow data to be stored on a virtual, off-site server run by a third party. The benefits are that you and any of your staff (with a legitimate reason to do so) can access the data from any computer with an internet connection.

Of course, with increased convenience come significant security and confidentiality considerations for data controllers.

ICO guidance

The ICO's guidance on cloud computing advises that anyone planning to use cloud computing to store patient data should consider whether the 'processing of certain types of personal data could have a greater impact on individuals' privacy'.

Data controllers should review the personal data they process and decide whether there is any data that shouldn't be put in the cloud - for example, because specific assurances were given when the data was collected.

The ICO also recommends considering the following questions before opting for a data cloud as a storage method:

  • will data be encrypted when in transit?
  • what are the deletion and retention timescales and will the data be deleted securely if you withdraw from the cloud?
  • what audit trails are in place so you can monitor who is accessing the data?
  • in which countries does the provider process data? The UK General Data Protection Regulation (UK GDPR) restricts the transfer of personal data outside the UK or to international organisations
  • will there be a digital contract in place that includes confidentiality clauses?

For data controllers working within the NHS in England, NHS Digital's good practice guide to cloud security suggests a four-step process to using cloud services:

  • understand the data you're dealing with
  • assess the associated risks with the data
  • implement appropriate controls
  • monitor the implementation and ongoing risks.

The Scottish government has produced public sector cloud computing guidance here - which contains advice on security considerations and suggested risk assessment considerations and questions.

The NHS Wales Shared Services Partnership has also published guidance on cloud-based platforms including specialist advice on cyber security.

There is currently no guidance on using cloud-based platforms in Northern Ireland, but the ICO retains oversight.

Do I need patient consent?

The ICO guidance states that organisations using cloud computing should take appropriate steps to tell their customers about processing arrangements, and be as open as possible.

Data protection law requires that personal data should only be handled in ways people would reasonably expect. It's unlikely patients would expect their sensitive medical information to be held in an off-site storage facility not under the direct control of their doctor. As such, it would be advisable to seek patient consent if you or your organisation is storing patients' personal data in this way, making them aware of any risks involved and, as far as possible, in which countries the data will be stored.

Private patients

If you provide private treatment, we recommend you adhere to the same levels of security as those implemented by the NHS.

This page was correct at publication on 01/11/2022. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.