Security assurance guidance

Applicants must demonstrate compliance with NHS England’s minimum security standards.

The Data sharing standard 2a Security assurance provides further information on

• completing the Data Security and Protection Toolkit (DSPT) or providing evidence of ISO27001 certification or equivalent security policies
• cloud storage or hosting

For applicants who want to use cloud storage additional scrutiny and assessment apply. This guidance provides further information on how to apply the standard for DARS applications, specific DARS requirements and supporting evidence 

NHS England has published guidance that enables health and social care organisations to use cloud services and/or store patient data offshore.

Organisations that include the use of cloud services and/or store patient data offshore in their DARS applications will need to provide evidence that they have undertaken the steps described in the guidance for their application to progress.

NHS and social care data: off-shoring and the use of public cloud services provides an overview of the requirements. The Health and social care cloud security good practice guide provides greater detail and a 4 step method to understand the risk of the data that needs to be stored and processed and the safeguards that must be put in place to do so, securely.

Step 1 - Understand the data you are dealing with
Step 2 – Assess the risks associated with the data
Step 3 – Implement appropriate controls
Step 4 – Monitor the implementation and ongoing risks

The Health and social care cloud security one page overview is as described a single page version of the 4 steps above to provide support to data controllers.

The Health and social care cloud risk framework should be used to assess and manage the risks associated with the use of public cloud services.

The Health and social care data risk model should be used to assess and record the details of any proposed use of cloud services, by producing a risk class indication which is used to define the required controls.

The controls below should be identified in your risk assessment to meet your contractual obligations and UK data protection legislation and are listed here as requirements:

Data destruction – an NHS England approved method to prevent the recovery of any data that is no longer required at the end of the DARS Agreement, at the retention period or on the issue of a Data Destruction Notice (DDN). 

Encryption at rest – encryption of data in cloud storage.

Encryption in transit – encryption of data in transit between the cloud provider and the end user.

Geography or jurisdiction – a risk assessment that can support the storage location or storage locations.

For applications that include the use of cloud services, the following documentation should be provided to support the application:

1. The type of cloud service(s) that you are using to confirm that you have considered the risks associated with each service. Examples of cloud services include cloud storage, Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).
2. A completed health and social care data risk model, to confirm that the data class has been assessed.
3. A cloud risk assessment to confirm that an appropriate risk assessment has been undertaken and that the applicant has considered all risks associated with the use of cloud.