Offshoring Data of NHS (National Health Service) England

[kreid]

Hello,

I have heard that the offshore storage of sensitive data from NHS England is prohibited.

Does anyone have any specific references for this?

Thanks

 

[pkost]

I'd take a look here:
14.1-209

It doesn't appear to be specifically prohibited, but it must comply with the Data protection act (soon to be replaced by the General data protection regulation)

 

[Ian_Morris]

I would ask where the instruction that data must not be off-shored has come from, it may be a mis-interpretation of the requirement or someone who is mitigating the potential risk for a data breach by not allowing off-shoring the data.

Looking at the site mentioned by pkost, the NHS site references the Data Protection Act and the DPA principle 8 states

"Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data."

There are circumstances where data can be off-shored, i.e. the EU-US bi-lateral agreement known as the privacy shield, but generally you have to be careful to ensure that no data goes outside of these parameters.

The key thing would be to check data storage and transfer to make sure that it is bound contractually to being compliant with EU Directives and DPA and there is no clauses about the supplier moving the data.

Just one final thought, as with anything like this, I would recommend obtaining legal advice and use specialist contractors for data storage or processing.

Hope this helps.

Ian