Sovereignty: A strategic imperative the NHS cannot ignore

Digital sovereignty – control over data, technology, and operations – receives only a fraction of the attention given to AI. That needs to change, agreed digital leaders at a recent Digital Health roundtable, supported by Rackspace Technology

The NHS’s increasing reliance on AI to deliver connected, data-driven care has inevitably focused attention on systems’ security and resilience, with recent outages and cyber attacks exposing alarming fragility.

An additional, emerging concern, however, is the dependence on US-based technology in a time of rising geopolitical instability and the certainty of UK control.

It is against this background that digital sovereignty – control over data, technology, and operations – is now being discussed in NHS organisations.

But according to the participants at the roundtable discussion, held at the Digital Health Rewired conference in Birmingham on 24 March, and supported by Rackspace Technology, sovereignty is still poorly understood and receiving far less attention than its importance warrants.

The roundtable panel brought together NHS chief information officers (CIOs), chief digital information officers, trust non-executive directors and senior executives from Rackspace Technology, which provides Sovereign Healthcare Cloud, a UK digitally sovereign cloud solution built to meet UK security and compliance needs of the NHS.

Sovereignty should be a strategic priority, not a technical issue. As one digital leader said: “This has to be part of the DNA of an organisation. It should be on the board agenda for all trusts – but I don’t think it is.”

One contributor with a governance background questioned whether some organisations even fully understand where their data is hosted and who has access to it.

Roundtable chair Lee Rickles, CIO at Humber Teaching NHS Foundation Trust, stressed that failing to get to grips with sovereignty could have much more severe consequences for a provider organisation than the types of failure associated with AI systems.

Yet it is AI that dominates local discussion and national policy. He pointed out that sovereignty does not even feature in the 10 year health plan.

Need for national policy

A strong theme of the discussion was concern that the UK is lagging behind other countries in terms of the priority given to digital sovereignty.

“France has taken leadership – they’ve invested heavily and decided this matters,” said one contributor.

History suggests, the panel agreed, that the UK government is far more likely to be reactive – to “wait for failure” before moving on sovereignty.

“We need a national policy,” said one contributor

Without a clear national policy position, progress would depend too much on individual leaders and local risk appetite, leading to inconsistency across the system.

A national framework might be a way to mandate minimum sovereignty standards, it was suggested.

At the same time, some roundtable participants acknowledged the need for a pragmatic, risk-based approach, investing in sovereign critical systems where the need is greatest rather than attempting to “boil the ocean” and do everything at once.

Treating all data as equally sensitive would make sovereignty unmanageable. Instead, workloads should be prioritised by sensitivity and risk.

“Anywhere there is aggregation of data – hundreds of thousands of patient records – that’s probably where I’d start,” said one contributor.

Electronic patient records and, “ironically”, shared data environments, which are designed to safeguard sensitive data, create a concentration of risk requiring the strongest sovereignty controls.

Another contributor said: “I would start by moving everything out of hyperscale American providers.”

Beyond data location

At the same time, participants noted that sovereignty goes beyond data location. It includes, for example, infrastructure resilience and recoverability, with loss of access sometimes more damaging than data breaches.

Access management and control over authentication systems should be among the “non-negotiable” components of sovereignty, said one contributor.

Several speakers expressed concern that current procurement and contracting processes do not support sovereignty or hold suppliers to account.

Interoperability is an issue, with some suppliers resisting data portability, which locks organisations into their platforms and undermines sovereignty in practice.

But the fault is not all on the supplier side. “We are really poor customers,” said one CIO.

“We need to make sure that delivery against contract happens, but we get what we ask for – probably nothing.”

Local digital leaders also have an important role to play in explaining the significance of sovereignty to their boards.

One non-executive director warned that boards often underestimate sovereignty risks unless those risks are framed in terms of compliance, operational impact and patient or customer trust; if it becomes a “technical” discussion you have “lost” the board.

In reality, NHS organisations are “custodians of patient data” and need to accept the responsibilities that come with that role.

As the roundtable drew to a close, the chair emphasised that sovereignty should be viewed positively, as an enabler of innovation rather than a barrier.

For healthcare organisations, the rewards of taking pragmatic steps to address sovereignty are considerable: improved trust, resilience and long-term innovation.

“Sovereignty is another tool,” said Rickles. “It’s an opportunity.”

You find out more about Rackspace Technology’s sovereign Healthcare Cloud solution here.

Read more about NHS cyber resilience and recovery in our latest Insights Report.