...
The NHS Digital Health and Social Care data risk framework (cloud_risk_framework_document_final.pdf) and associated risk tool (health_and_social_care_data_risk_model.xlsx) are both used to establish the risk level of the data. Typically Personally Identifiable Data (PID) would be Level 5.
...
- The supplier will provide a completed table from the "cloud_security_good_practice_guide_final1", with a statement (or linked evidence) against each guidance line item which is applicable for the data classification level identified at step 2.
- Prior to implementation - where there are many data controllers using a Solution (such as a GP system), NHS Digital would request evidence of the comms strategy to inform all data controllers, seeking any dissent based on the identified risk.
- Prior to implementation - consideration around GDPR: The supplier should state they have completed and provide if requested to the Catalogue Authority, a Data Protection Impact Assessment (DPIA), plus confirm adherence to the relevant data protection legislation.
...
NHS Digital Associated Cloud Guidance Links:
NHS and social care data: off-shoring and the use of public cloud services |
NHS and social care data: off-shoring and the use of public cloud services guidance |
Health and social care cloud risk framework |
Health and social care data risk model |
Health and social care cloud security one page overview |