The National Health Service does not operate a data localisation policy. In January 2018 the Department, NHS England, NHS Digital and NHS Improvement published guidance for the NHS on offshoring patient data. A copy of NHS and social care data: off-shoring and the use of public cloud services is attached.
NHS and social care organisations are permitted to host patient identifiable data in countries that provide an adequate level of protection; within the United Kingdom, the European Economic Area, countries deemed by the European Commission to have adequate protections for the rights of data subjects, or in the United States where covered by Privacy Shield. There are no restrictions on where in the UK data may reside. For example, data from the NHS in England data may be hosted in Scotland, and vice versa.
The guidance makes clear that while there are no additional risks attached to hosting data offshore, local data controllers should adopt a risk based approach to decision making about offshoring data. This provides data controllers with the option of keeping data onshore when they feel it necessary to do so.