Storing information using a data cloud

What is a data cloud?

Cloud computing services allow your data to be stored on a virtual, off-site server run by a third party. The benefits are that you can access the data from any computer with an internet connection. Of course, with increased convenience come significant security and confidentiality considerations.

ICO guidance

The ICO's guidance on cloud computing advises that anyone planning to use cloud computing to store patient data considers whether the 'processing of certain types of personal data could have a greater impact on individuals' privacy'.

Data controllers should review the personal data they process and decide whether there is any data that shouldn't be put in the cloud – for example, because specific assurances were given when the data was collected.

The ICO also recommends considering the following questions before opting for a data cloud as a storage method:

  • Will data be encrypted when in transit?
  • What are the deletion and retention timescales and will the data be deleted securely if you withdraw from the cloud?
  • What audit trails are in place so you can monitor who is accessing the data?
  • In which countries does the provider process data? The General Data Protection Regulation (GDPR) restricts transfer of personal data outside the EU.
  • Will there be a digital contract in place which includes confidentiality clauses?

NHS Digital's guide to data handling and good practice states that 'data transfers should always be carried out over existing, protected and trusted NHS networks, however there may be occasions where data will need to be transferred over other networks. On these occasions the data files must be protected by encryption'.

Do I need patient consent?

ICO guidance states that organisations using cloud computing should take appropriate steps to tell their customers about processing arrangements, and be as open as possible.

Data protection law requires that personal data should only be handled in ways people would reasonably expect. It's unlikely patients would expect their sensitive medical information to be held in an off-site storage facility not under the direct control of their doctor; as such, it would be advisable to seek patient consent if storing their data in such a way, making them aware of any risks involved and, as far as possible, in which countries the data will be stored.

Private patients

If you provide private treatment, we recommend you adhere to the same levels of security as those implemented by the NHS.

This page was correct at publication on 10/08/2018. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.