- Posted Friday June 7, 2019
In the week Donald Trump arrived in the UK saying that any trade deals between us and America after Brexit must have the NHS on the table, I also learned that 40 million patient records are to be transferred to 'the cloud'.
I found out early last week that as of the June 10 2019, EMIS will be transferring 40 million patient records to Amazon Web Services (AWS), a third-party cloud-based service owned by Amazon.
What is the Government saying?
With all this going on, Health Secretary Matt Hancock has stated that the NHS is not being privatised, and should not form part of any post-Brexit deal with America. In fact, he also says that if he becomes Prime Minister he will roll back some of the current privatisation.
This is the first I have heard about the move to cloud-based storage, and apart from a couple of brief announcements in December 2018 there has been little or no reporting of it online.
EMIS will have had to get permission from NHS England and the Health Secretary to make this move and, in my mind at least, this contradicts the Health Secretary’s comments. Neither our LMC nor our CCG knew about the change and I am sure many others have no idea this is happening.
Mixed messages about the switch
I only got to find out about this move when EMIS advised my practice that we ‘may want to tell our patients’ of the changes to their patient records. An email we received from the GPC made it clear that there is no ‘may’ about it - under GDPR and the DPA 2018 it is mandatory to tell patients about this change.
As the records are supposedly being transferred over a period of time, providing such details presents a series of problems.
The biggest question to me is: why does the biggest provider of healthcare clinical systems have to transfer our data to a third party? I do not understand why permission was granted. I may not be very technical but the thought that patient records are being stored ‘in the cloud’ worries me.
My concerns over data safety
No matter how safe these systems may be, where there is a will, there is always a way to launch cyber-attacks and for data to find its way into the wrong hands. Whilst we are assured that AWS is a UK-based company, the holding of sensitive data by another company does not seem right.
We are seeking advice from our Data Controller but this whole episode leaves me further concerned as to where the NHS is heading. So who should we believe? To be quite honest I’m not really sure - and I feel the NHS is being used as a political pawn by any number of people.
First Practice Management members can access tools and documents that present GDPR in clear and straightforward terms, with resources including a sample Data Map and Privacy Impact Assessment available in our GDPR toolkit area and Policy Library.