Re: "This helps to ensure that ... data is kept safe and secure"
"So what they're saying is: if it's stored in a cloud hosting provider in the UK, it's safe; if it's stored in a cloud hosting provider outside the UK, it isn't.
Except there is this thing called "The Internet" which connects all the clouds together."
Having briefly scanned the audit report, I don't think that's quite what the auditors are saying. I can't see any reference to data being stored in a non-UK datacentre, but I do see a reference to aggregated data in the London data centre being available 'online' i.e. presumably internet facing, and so available to users in other countries (that's probably why the London data centre is no longer used.)
This is most likely what the main point of the story is - servers storing NHS data should never be accessible via the internet, only via internal LAN / WAN (with WAN connections encrypted over point-to-point VPN.)
The only other failings I can see in the report are the usual suspects - logins shared between 2 admins, unlocked unattended laptops, poor audit trail for information governance training etc. etc.