Last year Microsoft completed a 2-year trial of an underwater data centre off the coast of Orkney as part of an effort to explore new, environmentally sustainable ways of storing data. They concluded that underwater data centers are reliable, practical and use energy sustainably. 
The impetus behind the project was the exponential growth in the amount of electronic information generated by individuals and organisations which easily exceeds the storage capacity of ordinary computer hard drives and servers. As a result, most of us now entrust our data to third party providers who have access to data centres around the world.
But for practices and hospitals, sensitive patient data cannot be uploaded to a cloud in the same routine way one might with a song or picture. Data protection rules (the UK GDPR) say that whenever a data controller uses a processor it needs to have a written contract in place and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the UK GDPR will be met and the rights of data subjects protected. The Information Commissioner’s Office (ICO) has further guidance on its website.
Unsurprisingly the ICO does not address the question of underwater data processing but data processing but as Microsoft is continuing its research, it will be some time before we know whether the future of data storage lies beneath the waves. In the meantime, Healthcode customers will be reassured that our data processing operations take place on dry land and are fully compliant with the UK GDPR.
Here are some of the measures we have in place to protect your data and that of your patients:
- Private dedicated infrastructure - we use a secure data centre which is physically located in the UK and a separate secure disaster recovery facility.
- Daily data back-up.
- Encryption - electronic bills and clinical records submitted through our online system are securely encrypted in accordance with internet banking conventions using 2048 bit certificates.
- Information security management – our internal policies, procedures and controls comply with both ISO/IEC 27001:2013, the international standard, and the Government-backed Cyber Essentials Certification
- Resilience testing – we regularly review our security, including penetration tests to identify potential weaknesses and ensure systems remain fit for purpose as technology advances.
- Independent audit – clients can review our information security arrangements.
- Data protection by design – security is a primary consideration when developing services such as our secure encrypted messaging service.
Find out more about the Microsoft project.