The N3 is the NHS private WAN (Wide Area Network) used by NHS hospitals, organisations and their partners with connections strictly limited to authorised endpoints. Patient Identifiable Data should not be recorded outside of the England boundary in any format for any reason without the prior explicit written permission of the NHS. There is the possibility that sensitive information could end up outside of England due to the way that some public providers manage data 'in the cloud'.”įor further information on 'offshoring', the Operational Security Team (OST) of NHS Digital helped Save9 clarify current NHS data storage and transmission restrictions in place - by signposting us to a specific NHS Offshore Support Requirement document. This could happen for example, if utilising a 'public cloud' provider which has data centre facilities all over the world. Storing PID (Patient Identifiable Data) outside of England is not permittedĪ recent response from the Infrastructure Security Team made reference to the Department of Health - Information Security and Risk Policy Lead commenting on the offshoring of data “…a specific area to be mindful of in relation to 'cloud computing' is the potential for 'offshoring' of sensitive data to occur. This essentially means perform a local risk assessment, stay within the law and the IG Assurance Framework, don't commit to anything that is not fully understood, and/or that you do not have appropriate confidence in.” Here is a copy of a response received from the Infrastructure Security Team and the Department of Health - Information Security and Risk Policy Lead: “Locally, Senior Information Risk Owners and Information Asset Owners are responsible for ensuring security assessment, approvals including risk acceptance, and that there is an expectation generally for compliance with NHS IG policies and good practice. Note: NHS Connecting for Health ceased to exist at the end of March 2013 and HSCIC was renamed NHS Digital in July 2016.ĭepartment of Health - Information Security and Risk Policy – view on Cloud Computing Each NHS organisation is required to have a Caldicott Guardian this is mandated for the NHS. Note: A 'Caldicott Guardian' (named after Dame Fiona Caldicott - the UK's National Data Guardian) is a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing. It is the responsibility of the local SIRO to accept any risks in consultation with their Board, Caldicott Guardian, assigned information asset owners and supporting IG teams.” However, there is an expectation that information assets are understood, comprehensive/rigorous risk assessment and management is documented and undertaken by the local organisation, that NHS IG policies and standards are applied, that legal obligations are satisfied, and that the data involved does not originate from DHID /CFH /HSCIC provisioned services - as would contravene our CFH policy. The statement below was made by a representative of the Department of Health in reply to a similar query that Save9 made to the NHS - relating to the use of cloud computing: “At this point there is no DH prohibition on local Trusts processing their data via Cloud services or offshore. If this article is not detailed enough for a specific project you have in mind or you would like some assistance in specifying and deploying a cloud backup solution that meets (or exceeds) your data security and information governance compliance needs then please contact Steve Bromham at Save9 via our contact form or phone number below.ĭepartment of Health - view on using Cloud services One of Save9's major customers is an NHS Business Partner and we were recently tasked by their Information Governance team to find out if cloud backups of PID (Patient Identifiable Data) is permitted by the NHS from a technical, information security and information governance compliance perspective. In summary it is permissible to backup PID in the cloud but there are some stringent technical, information security management and information governance requirements that must be adhered to, most of which are briefly outlined below. If you've ever wondered what the official line is - from the UK's NHS (National Health Service) – on whether the NHS and its business partners can back up patient identifiable data with third party cloud computing providers over the Internet - then this Save9 article might be of use to you. NOTE: SOME OF THE ADVICE PUBLISHED IN THIS ARTICLE IS SUPERSEDED BY NHS DIGITAL POLICY CHANGES: NHS and social care data: off-shoring and the use of public cloud services
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |