The UK's NHS will trust data to foreign powers

Data Center Life Sciences


Data center providers will have welcomed the recent announcement that the NHS has approved the storage of patient data outside the UK . This could remove a barrier to the development of international colocation and cloud services for health and research data, and free organisations from the requirement to store patient data in their own country.

But it may not be that simple. The decision is based on an EU-US agreement called the Privacy Shield which is designed to protect personal data stored in foreign countries. A stamp of approval on the Privacy Shield from the NHS is important - the NHS is the largest employer in the UK, and the fifth largest in the world, and must have one of the largest stores of personal data about UK citizens.

But the Shield is still relatively new and untried, and the body charged with its oversight in the US appears to be dormant. The whole framework is still open to challenge. And it would not do to be complacent about it: that would be one of the top lessons to learn from the history of the Shield.

Since 1980, European countries have stipulated that their citizens’ personal data cannot be stored abroad without assurances that those people’s privacy will be protected. As international cloud services developed, US-based firms wanted to store and process data from their European customers, and to enable this, the Safe Harbour principles were developed between 1998 and 2000.

US companies could sign up to the Safe Harbor principles - essentially promising to protect privacy - and would then be allowed to store EU citizens’ data in the US.

Companies relied on the Safe Harbour principles for more than a decade, even though the US Patriot Act, passed in 2001, gave US government agencies far-reaching powers to access private data. The risks were occasionally flagged up, but in 2013 Edward Snowden leaked documents which showed the powers were being used (or misused) extensively. Whatever Safe Harbour said, EU citizens’ data was not safe in the US.

In October 2015, the Safe Harbor principles were struck down by the European Court of Justice, following a complaint by Austrian citizen Maximilian Schrems over Facebook’s data handling. A replacement agreement was quickly put together, and signed into law in July 2016.

Endorsement by the NHS is significant. NHS Digital is the UK’s provider of clinical data for doctors and policy makers (previously known as the Health and Social Care Information Centre). It has been scrupulous about guarding privacy: in August 2016, after the publication of the Privacy Shield, it ordered an insurance and data management group, Health IQ, to remove UK citizens’ health data from non-UK services.

A guidance document from NHS Digital praises the benefits of the cloud, advises health service bodies to be aware of risks, and says “NHS and social care data can be safely hosted with certain organisations in the US,” provided they comply with the Privacy Shield.

That’s a vote of confidence. But it comes from a body in the UK, where privacy attitudes are closer to those of the US. Consultant Matt Allison is widely quoted saying "the EU's citizen-driven, regulated model will swiftly come into conflict with the market forces of the US and the UK."

There are still potential challenges to the Privacy Shield, which may be deemed admissible. And there are signs that - as with the Safe Harbour principles, the US may not be holding up its side of the bargain. The US government set up the Privacy and Civil Liberties Oversight Board, to ensure that surveillance to prevent terrorism is “balanced” by the need to protect privacy and civil liberties but the Board has been criticised for inactivity, and is vulnerable to political appointments.

While cloud providers and data center operators are right to welcome the NHS Digital decision, it’s not the end of the story...


Written by Peter Judge (Guest)

See Peter Judge (Guest)'s blog

Peter Judge is the Global Editor at Datacenter Dynamics. His main interests are networking, security, mobility and cloud. You can follow Peter at: @judgecorp

Related blogs

Iceland provides the power behind Germany's most pioneering AI start-ups

This week has seen the announcement of Analytic Engineering, a pioneering German AI engineering firm, choosing Verne Global’s data center in Iceland as the location for their intensive computing. This represents another impressive AI and Machine Learning client win for us, following DeepL joining us just before Christmas.

Read more


Location, location, location - Why some “green" data center can increase emissions

Ten years ago, there was widespread fear that data center power usage was out of control. Then, a couple of years back, fresh figures showed it was not as bad as had been feared. Big outfits like Apple, Facebook and Equinix all promised to use renewable power sources. Problem solved? Unfortunately not quite...

Read more


How the blockchain is reshaping the data center

Such is the hype around Bitcoin and blockchain technologies that numerous companies have seen their share prices rise simply by changing their names to include one of those words. In their rush to invest in the hot new thing, some investors don't check whether the companies actually have anything to do with blockchain.

Read more

We use cookies to ensure we give you the best experience on our website, to analyse our website traffic, and to understand where our visitors are coming from. By browsing our website, you consent to our use of cookies and other tracking technologies. Read our Privacy Policy for more information.