Data center providers will have welcomed the recent announcement that the NHS has approved the storage of patient data outside the UK . This could remove a barrier to the development of international colocation and cloud services for health and research data, and free organisations from the requirement to store patient data in their own country.
But it may not be that simple. The decision is based on an EU-US agreement called the Privacy Shield which is designed to protect personal data stored in foreign countries. A stamp of approval on the Privacy Shield from the NHS is important - the NHS is the largest employer in the UK, and the fifth largest in the world, and must have one of the largest stores of personal data about UK citizens.
But the Shield is still relatively new and untried, and the body charged with its oversight in the US appears to be dormant. The whole framework is still open to challenge. And it would not do to be complacent about it: that would be one of the top lessons to learn from the history of the Shield.
Since 1980, European countries have stipulated that their citizens’ personal data cannot be stored abroad without assurances that those people’s privacy will be protected. As international cloud services developed, US-based firms wanted to store and process data from their European customers, and to enable this, the Safe Harbour principles were developed between 1998 and 2000.
US companies could sign up to the Safe Harbor principles - essentially promising to protect privacy - and would then be allowed to store EU citizens’ data in the US.
Companies relied on the Safe Harbour principles for more than a decade, even though the US Patriot Act, passed in 2001, gave US government agencies far-reaching powers to access private data. The risks were occasionally flagged up, but in 2013 Edward Snowden leaked documents which showed the powers were being used (or misused) extensively. Whatever Safe Harbour said, EU citizens’ data was not safe in the US.
In October 2015, the Safe Harbor principles were struck down by the European Court of Justice, following a complaint by Austrian citizen Maximilian Schrems over Facebook’s data handling. A replacement agreement was quickly put together, and signed into law in July 2016.
Endorsement by the NHS is significant. NHS Digital is the UK’s provider of clinical data for doctors and policy makers (previously known as the Health and Social Care Information Centre). It has been scrupulous about guarding privacy: in August 2016, after the publication of the Privacy Shield, it ordered an insurance and data management group, Health IQ, to remove UK citizens’ health data from non-UK services.
A guidance document from NHS Digital praises the benefits of the cloud, advises health service bodies to be aware of risks, and says “NHS and social care data can be safely hosted with certain organisations in the US,” provided they comply with the Privacy Shield.
That’s a vote of confidence. But it comes from a body in the UK, where privacy attitudes are closer to those of the US. Consultant Matt Allison is widely quoted saying "the EU's citizen-driven, regulated model will swiftly come into conflict with the market forces of the US and the UK."
There are still potential challenges to the Privacy Shield, which may be deemed admissible. And there are signs that - as with the Safe Harbour principles, the US may not be holding up its side of the bargain. The US government set up the Privacy and Civil Liberties Oversight Board, to ensure that surveillance to prevent terrorism is “balanced” by the need to protect privacy and civil liberties but the Board has been criticised for inactivity, and is vulnerable to political appointments.
While cloud providers and data center operators are right to welcome the NHS Digital decision, it’s not the end of the story...