The UK's NHS will trust data to foreign powers

Data Center Life Sciences

Data center providers will have welcomed the recent announcement that the NHS has approved the storage of patient data outside the UK . This could remove a barrier to the development of international colocation and cloud services for health and research data, and free organisations from the requirement to store patient data in their own country.

But it may not be that simple. The decision is based on an EU-US agreement called the Privacy Shield which is designed to protect personal data stored in foreign countries. A stamp of approval on the Privacy Shield from the NHS is important - the NHS is the largest employer in the UK, and the fifth largest in the world, and must have one of the largest stores of personal data about UK citizens.

But the Shield is still relatively new and untried, and the body charged with its oversight in the US appears to be dormant. The whole framework is still open to challenge. And it would not do to be complacent about it: that would be one of the top lessons to learn from the history of the Shield.

Since 1980, European countries have stipulated that their citizens’ personal data cannot be stored abroad without assurances that those people’s privacy will be protected. As international cloud services developed, US-based firms wanted to store and process data from their European customers, and to enable this, the Safe Harbour principles were developed between 1998 and 2000.

US companies could sign up to the Safe Harbor principles - essentially promising to protect privacy - and would then be allowed to store EU citizens’ data in the US.

Companies relied on the Safe Harbour principles for more than a decade, even though the US Patriot Act, passed in 2001, gave US government agencies far-reaching powers to access private data. The risks were occasionally flagged up, but in 2013 Edward Snowden leaked documents which showed the powers were being used (or misused) extensively. Whatever Safe Harbour said, EU citizens’ data was not safe in the US.

In October 2015, the Safe Harbor principles were struck down by the European Court of Justice, following a complaint by Austrian citizen Maximilian Schrems over Facebook’s data handling. A replacement agreement was quickly put together, and signed into law in July 2016.

Endorsement by the NHS is significant. NHS Digital is the UK’s provider of clinical data for doctors and policy makers (previously known as the Health and Social Care Information Centre). It has been scrupulous about guarding privacy: in August 2016, after the publication of the Privacy Shield, it ordered an insurance and data management group, Health IQ, to remove UK citizens’ health data from non-UK services.

A guidance document from NHS Digital praises the benefits of the cloud, advises health service bodies to be aware of risks, and says “NHS and social care data can be safely hosted with certain organisations in the US,” provided they comply with the Privacy Shield.

That’s a vote of confidence. But it comes from a body in the UK, where privacy attitudes are closer to those of the US. Consultant Matt Allison is widely quoted saying "the EU's citizen-driven, regulated model will swiftly come into conflict with the market forces of the US and the UK."

There are still potential challenges to the Privacy Shield, which may be deemed admissible. And there are signs that - as with the Safe Harbour principles, the US may not be holding up its side of the bargain. The US government set up the Privacy and Civil Liberties Oversight Board, to ensure that surveillance to prevent terrorism is “balanced” by the need to protect privacy and civil liberties but the Board has been criticised for inactivity, and is vulnerable to political appointments.

While cloud providers and data center operators are right to welcome the NHS Digital decision, it’s not the end of the story...

Written by Peter Judge (Guest)

See Peter Judge (Guest)'s blog

Peter Judge is the Global Editor at Datacenter Dynamics. His main interests are networking, security, mobility and cloud. You can follow Peter at: @judgecorp

Related blogs

Choosing Colocation Can Be the Smart Business Choice

One of the unexpected silver linings of the coronavirus pandemic has been recognition of the role data centres have played in keeping our communities functioning during global lockdowns. Organisations scrambled to get their employees up and running in a work from home environment. Sadly, many realised their data center infrastructure was not up to the challenge.

Many businesses are recognising the potential and importance of colocation data centre facilities. Prior to the pandemic, colocation was a key – often growing – element in their overall IT operations; complementing or even replacing on-premise data center facilities and cloud-based services alike. In the last six months, the major hyperscalers - who have their own vast facilities - have turned to colocation facilities to quickly ramp capacity needs as the world turned online practically overnight.

Read more

HPC & AI workloads lead to Rome

Last week I travelled to the Italian capital, Rome, for an event which I believe will prove very significant for the international high performance computing (HPC) industry. After many years away from the HPC arena and the overall server market, AMD is back with a bang and a new range of powerful processors through its AMD EPYC series.

Read more

Data center cooling - it’s time to go with the (air) flow

The direction of travel for the industry should be away from tightly controlled cooling to a more easygoing approach.

Read more

We use cookies to ensure we give you the best experience on our website, to analyse our website traffic, and to understand where our visitors are coming from. By browsing our website, you consent to our use of cookies and other tracking technologies. Read our Privacy Policy for more information.