The UK's NHS will trust data to foreign powers

Data Center Life Sciences

Data center providers will have welcomed the recent announcement that the NHS has approved the storage of patient data outside the UK . This could remove a barrier to the development of international colocation and cloud services for health and research data, and free organisations from the requirement to store patient data in their own country.

But it may not be that simple. The decision is based on an EU-US agreement called the Privacy Shield which is designed to protect personal data stored in foreign countries. A stamp of approval on the Privacy Shield from the NHS is important - the NHS is the largest employer in the UK, and the fifth largest in the world, and must have one of the largest stores of personal data about UK citizens.

But the Shield is still relatively new and untried, and the body charged with its oversight in the US appears to be dormant. The whole framework is still open to challenge. And it would not do to be complacent about it: that would be one of the top lessons to learn from the history of the Shield.

Since 1980, European countries have stipulated that their citizens’ personal data cannot be stored abroad without assurances that those people’s privacy will be protected. As international cloud services developed, US-based firms wanted to store and process data from their European customers, and to enable this, the Safe Harbour principles were developed between 1998 and 2000.

US companies could sign up to the Safe Harbor principles - essentially promising to protect privacy - and would then be allowed to store EU citizens’ data in the US.

Companies relied on the Safe Harbour principles for more than a decade, even though the US Patriot Act, passed in 2001, gave US government agencies far-reaching powers to access private data. The risks were occasionally flagged up, but in 2013 Edward Snowden leaked documents which showed the powers were being used (or misused) extensively. Whatever Safe Harbour said, EU citizens’ data was not safe in the US.

In October 2015, the Safe Harbor principles were struck down by the European Court of Justice, following a complaint by Austrian citizen Maximilian Schrems over Facebook’s data handling. A replacement agreement was quickly put together, and signed into law in July 2016.

Endorsement by the NHS is significant. NHS Digital is the UK’s provider of clinical data for doctors and policy makers (previously known as the Health and Social Care Information Centre). It has been scrupulous about guarding privacy: in August 2016, after the publication of the Privacy Shield, it ordered an insurance and data management group, Health IQ, to remove UK citizens’ health data from non-UK services.

A guidance document from NHS Digital praises the benefits of the cloud, advises health service bodies to be aware of risks, and says “NHS and social care data can be safely hosted with certain organisations in the US,” provided they comply with the Privacy Shield.

That’s a vote of confidence. But it comes from a body in the UK, where privacy attitudes are closer to those of the US. Consultant Matt Allison is widely quoted saying "the EU's citizen-driven, regulated model will swiftly come into conflict with the market forces of the US and the UK."

There are still potential challenges to the Privacy Shield, which may be deemed admissible. And there are signs that - as with the Safe Harbour principles, the US may not be holding up its side of the bargain. The US government set up the Privacy and Civil Liberties Oversight Board, to ensure that surveillance to prevent terrorism is “balanced” by the need to protect privacy and civil liberties but the Board has been criticised for inactivity, and is vulnerable to political appointments.

While cloud providers and data center operators are right to welcome the NHS Digital decision, it’s not the end of the story...

Written by Peter Judge (Guest)

See Peter Judge (Guest)'s blog

Peter Judge is the Global Editor at Datacenter Dynamics. His main interests are networking, security, mobility and cloud. You can follow Peter at: @judgecorp

Related blogs

Iceland provides the power behind Germany's most pioneering AI start-ups

This week has seen the announcement of Analytic Engineering, a pioneering German AI engineering firm, choosing Verne Global’s data center in Iceland as the location for their intensive computing. This represents another impressive AI and Machine Learning client win for us, following DeepL joining us just before Christmas.

Read more

The edge could be a winning card for telcos

For some time now, I’ve been trying to talk more about “digital infrastructure” than “data centers”. That’s because the connections that link data centers, their users and other resources such as power, are just as important as the servers and infrastructure inside the buildings. When it comes to the 'Edge' - new, exciting opportunities could exist for telecommunications providers...

Read more

UK Data Centers and Brexit: Time to Think About a Move?

The Brexit divorce has now been pushed off until at least October 31 of this year, and as with any impending separation, it creates a good deal of uncertainty for all parties involved. For datacenters, there are two key issues of concern: 1) the ability to ensure a stable and affordable supply of electricity post-Brexit; and 2) issues relating to data and privacy. Being energy-focused, we will spend more time discussing the former.

Read more

We use cookies to ensure we give you the best experience on our website, to analyse our website traffic, and to understand where our visitors are coming from. By browsing our website, you consent to our use of cookies and other tracking technologies. Read our Privacy Policy for more information.