There have been a few raised eyebrows at the news that Microsoft is trialling an underwater data centre off the coast of Orkney as part of an effort to explore new, environmentally sustainable ways of storing data.
The impetus behind the project is the exponential growth in the amount of electronic information generated by individuals and organisations which easily exceeds the storage capacity of ordinary computer hard drives and servers. As a result, most of us now entrust our data to third party providers who have access to data centres around the world.
But for practices and hospitals, sensitive patient data cannot be uploaded to a cloud in the same routine way one might with a song or picture. The new data protection rules (the GDPR) say that whenever a data controller uses a processor it needs to have a written contract in place and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected. The Information Commissioner’s Office has further guidance on its website.
Unsurprisingly the ICO does not address the question of underwater data processing but Microsoft plans to test its seabed data centre over the next five years, so it will be some time before we know whether the future of data storage lies beneath the waves. In the meantime, Healthcode customers will be reassured that our data processing operations take place on dry land and are fully compliant with the GDPR.
Here are some of the measures we have in place to protect your data and that of your patients:
- Private dedicated infrastructure - we use a secure data centre which is physically located in the UK and a separate secure disaster recovery facility.
- Daily data back-up.
- Encryption - electronic bills and clinical records submitted through our online system are securely encrypted in accordance with internet banking conventions using 256 bit certificates.
- Information security management – our internal policies, procedures and controls comply with ISO/IEC 27001:2013, the international standard.
- Resilience testing – we regularly review our security, including penetration tests to identify potential weaknesses and ensure systems remain fit for purpose as technology advances.
- Independent audit – clients can review our information security arrangements.
- Data protection by design – security is a primary consideration when developing services such as our secure encrypted messaging service.