PRIVACY ADVOCATES have been quick to slam the NHS Digital’s decision to approve the off-shoring of patient data.
NHS Digital this week published guidance for health and care organisations that want to use the public cloud to store patient data.
As well as the ability to work more flexibly, NHS Digital says that the cloud will lower costs by avoiding hardware and software purchases and maintenance.
The guidance sets out legalities and best practices for data storage and usage in the cloud, and is aimed at ensuring that NHS organisations understand how to use the cloud safely; a topic becoming even more important with the impending GDPR legislation.
The GDPR requires European citizens’ data to be stored within Europe, or a country that is compliant with the European Commission’s data protection regulations. The NHS’s guidance echoes that, with data able to be stored in the UK; European Economic Area; and ‘countries deemed adequate by the European Commission‘, including Canada, Andorra and Uruguay.
Unsurprisingly, the move has already been met with opposition. Jim Killock, executive director of the Open Rights Group, said that the off-shoring of sensitive patient data is a “dangerous move” and could have serious ramifications.
Killock told the BBC: “This is a dangerous move that could open up patient data for surveillance purposes, and that could have ramifications for patient health.
“People might avoid getting care, which would obviously be very bad. Patient confidentiality has to come first.”
Killock is especially critical of the UK-USA Privacy Shield arrangement (the USA is one of the countries deemed ‘adequate’ by the European Commission, where covered by Privacy Shield), which he called “highly open to legal challenge.”
Carl Leonard, the principal security analyst at Forcepoint, is also sounding the alarm bells, and said in a statement sent to INQ that “although the cloud certainly offers benefits in the area of security, they should not be viewed as bullet-proof custodians of customer data – providers need to put controls in place to ensure they’re able to drive those benefits.
“With GDPR enforceable in May, individual care providers will have to ensure that the processing and storing of patients’ personal data meets the requirements set out in the regulation. The magnifying glass will be pointed at all organisations who control and process data – no matter where they store it. It is vital to ensure you manage that risk.” µ
Source : Inquirer