Guidance

Approval standards and guidelines: data security

Updated 15 September 2023

© Crown copyright 2023

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/accessing-ukhsa-protected-data/approval-standards-and-guidelines-data-security

Approval standard: data security

When must this standard be met

This standard must be met for all applications to access UKHSA data classified as ‘Protected’.

Standard

1. All applications must demonstrate that each applicant and engaged data processor has in place appropriate technical and organisational measures to protect the confidentiality, integrity and availability of the data requested. UKHSA recognises 2 types of assurance, at least one of which must be demonstrated for each applicant and data processor:

  • Data Security and Protection Toolkit (DSPT) to ‘Standards Met’ or ‘Standards Exceeded’
  • current ISO 27001:2013 certification issued by an UKAS accredited certification body

2. When demonstrating an organisation has in place DSPT, the application must:

  • include a valid organisation code (referred to as ‘ODS codes’) for the organisation the DSP toolkit is for
  • demonstrate that the latest available version of the DSPT assessment has been completed, or that the previous version has been completed and the assessment has not expired
  • show that the DSPT assessment result was ‘Standards Met’ or ‘Standards Exceeded’

3. When demonstrating an organisation has in place ISO 27001:2013 certification, the application must:

  • include the certificate number, registration date, and expiration date
  • the certificate must show the name and address of the certified organisation, as well as the scope and the Statement of Applicability (SOA)
  • show that the certificate is valid for the processing locations specified in the application.
  • demonstrate that the certificate is current. UKHSA will not accept expired certificates, and if the expiration date passes during the review, you will be required to provide updated documentation
  • include a copy of the certificate with the application

Guidelines

The ‘security principle’ is a key principle of the UK General Data Protection Regulation (UK GDPR) that requires you to process personal data securely using appropriate technical and organisational measures in accordance with Article 5(1)(f) and Article 32 of the UK GDPR. This requires the consideration of factors such as risk analysis, organisational policies, and physical and technical safeguards.

In your application you must demonstrate that your organisation has the appropriate organisational, physical and technical measures to ensure the confidentiality, integrity and availability of the data throughout its processing, including storage at rest. Article 32 of the UK GDPR provides specifics on the security of your proposed processing.

Should you need to engage a data processor to deliver your project, you must also provide sufficient guarantees that they will implement appropriate technical and organisational measures, and that you will continue ensure their compliance on an ongoing basis. For more information about the requirements for engaging a data processor in your application, please see Approval standards and guidelines: engaging a data processor.

UKHSA recognises 2 types of assurance, at least one of which must be demonstrated for each applicant and/or data processor:

  • Data Security and Protection Toolkit (DSPT) to ‘Standards Met’ or ‘Standards Exceeded’
  • current ISO 27001:2013 certification issued by an UKAS accredited certification body

Data Security and Protection Toolkit

The DSPT is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards. All organisations that have access to patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

Learn more about the DSPT

ISO 27001:2013 certification

ISO 27001:2013 (also known as ISO 27001) is an information security management standard jointly-published by the International Organization for Standardization, and the International Electrotechnical Commission. ISO 27001 structures how organisations should manage risk associated with information security threats, including policies, procedures and staff training.

Certification to the ISO 27001 standard is recognised worldwide to indicate that your systems align with information security best practices.

When you achieve ISO 27001: 2013 certification you are demonstrating that:

  • your information security management system meets the standards of the ISO model of implementation, maintenance and continual improvement
  • you are managing information security in accordance with ISO 27001’s requirements, regardless of the size or type of your organisation

Data processors

Where processing is to be carried out on behalf of a controller, under Article 28 of UK GDPR the controller has a number of responsibilities including that they must only use processors providing sufficient guarantees to implement appropriate technical and organisational measures.

Detailed guidance has been made available by the Information Commissioner’s Office (ICO) on these responsibilities (see ICO Guide to the UK GDPR: Contracts and liabilities between controllers and processors).

When engaging a data processor, you must also meet the requirements set out in Approval standards and guidelines: engaging a data processor and the Approval standards and guidelines: processing location.

Back to top