GDS and NHS Digital asked to review policies after collapse of Privacy Shield agreement and ongoing lack of data adequacy status with EU
The Government Digital Service is reviewing Whitehall’s strategies in regard to the use of cloud and conducting data transfers across borders.
These examinations come in light of the European Court of Justice verdict in the so-called ‘Schrems II’ case, in which the court invalidated the Privacy Shield agreement that has, since 2016, ensured the lawfulness of transfer of personal data between the EU and the US.
Under Privacy Shield, US data processors – including the major social networks and public-cloud providers – can self-certify their compliance with the relevant European data-protection laws. The agreement also commits tech firms to certain obligations, including increased oversight and remedial measures.
On top of the removal of the protections of Privacy Shield, the UK has also yet to be granted so-called data-adequacy status by the EU. This is needed to ensure that, after Brexit, data can continue to be lawfully transferred between the UK and the remaining 27 member states.
In light of this uncertain future, GDS is reviewing government strategy on the use of overseas-based cloud hosting firms, and on the transfer of data across borders.
Lord Agnew, the minister responsible for overseeing the work of the digital agency, said: “GDS is currently reviewing cross government cloud policy and guidance, including the Cloud First policy. This includes reviewing the cloud hosting market and associated regulatory environment.”
He added: “GDS is currently undertaking a risk assessment of all of its services and products – including GOV.UK – in relation to cross-border data flows. The new ECJ judgment [on Privacy Shield] will be considered as part of this assessment.
“The assessment will identify relevant data flows and make sure appropriate mitigation is implemented if necessary, following updates and guidance from the Information Commissioner’s Office and the European Data Protection Board. GDS has engaged with other government departments via data advisory groups and data protection networks to ensure consistent mitigation.
“Ultimately, however, it is a decision for individual government organisations where and how to store their data, provided it is done in a secure way and offers good value for money.”
The government has previously indicated that, following the invalidation of Privacy Shield, it is working with the ICO to provide updated guidance for businesses and public sector bodies as soon as possible.
In 2018, the DHSC and all national NHS bodies jointly announced that, following the implementation of Privacy Shield, public sector bodies should feel free to host health and social care data in the US.
Lord Bethell, minister for innovation in the Department of Health and Social Care, said that NHS Digital is now also reviewing its guidance for the use of cloud services by health-service organisations.
“The cloud security suite of documents is currently being reviewed as part of NHS Digital’s regular management cycle and is due for re-issue before the end of the year,” Bethell said. “NHS Digital is currently awaiting updated guidance following the judgement by the European Court of Justice from the Information Commissioner’s Office. Once received it will be incorporated into its guidance for the health and social care sector.”
Both Agnew and Bethell were answering written parliamentary questions from Liberal Democrat peer Lord Clement-Jones.
The ‘Schrems II’ case, as it is commonly referred to, is named after Austrian privacy activist Max Schrems, whose legal challenge led to the invalidation by the ECJ of Privacy Shield’s predecessor, the Safe Harbor arrangement.