Guidance

Approval standards and guidelines: engaging a data processor

Updated 15 September 2023

© Crown copyright 2023

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/accessing-ukhsa-protected-data/approval-standards-and-guidelines-engaging-a-data-processor

Approval standard: engaging a data processor

When must this standard be met

This standard must be met for applications where any processing is or will be outsourced to one or more data processors.

Standard

1. All individuals or organisations who will be engaged as a data processor must be detailed as such in the application.

2. The application must demonstrate the data processor is governed by a UK General Data Protection Regulation (UK GDPR)-compliant agreement or other legal act. This agreement must be fully executed on submission of the application and contain provisions that:

  • state that the processor must only act on the controller’s documented instructions
  • impose confidentiality obligations on all personnel who process the relevant data
  • must ensure the security of the personal data that it processes
  • abide by the rules regarding appointment of sub-processors
  • implement measures to assist the controller in complying with the rights of data subjects as outlined in Article 15 to Article 22 of the UK GDPR
  • state that the data processor must either return to the controller, or destroy, the data:
    • on termination of the processing agreement; or
    • when processing by the data processor is no longer necessary for the purpose (except as required by statutory requirements)
  • assist the data controller with all information necessary to demonstrate compliance with UK GDPR in relation to:
    • the security of processing
    • the notification of personal data breaches
    • data protection impact assessments
    • prior consultation with the Information Commissioner’s Office (ICO) where applicable
  • allow for and contribute to audits, including inspections, conducted by the data controller or another auditor mandated by the data controller.

3. The application must demonstrate that the documented instructions of the controller are consistent with all other information submitted to the UK Health Security Agency (UKHSA) and other approval bodies.

4. The application must demonstrate that all processing carried out by the data processor will be within the UK and/or EEA (see Approval standards and guidelines: processing location). For the avoidance of doubt, this territorial scope includes cloud-based services, where any data centre used in processing the data must be restricted to approved territories only.

5. Where the primary applicant agrees to the appointment of sub-processors by a data processor, the application must demonstrate that the sub-processors:

  • are governed by the same data protection obligations as set out in the data processing agreement between the primary applicant and data processor, and in any case in accordance with Article 28 of UK GDPR

  • do not process the data except on instructions from the controller

6. The application must demonstrate sufficient guarantees that the data processor will implement appropriate physical, technical and organisational security measures to meet the requirements of Article 32 of UK GDPR and ensure the protection of the rights of the data subject. The application must demonstrate that:

  • the data processor has adequate security assurances. UKHSA accepts 2 types of assurance as evidence:

    • a valid Data Security and Protection Toolkit to ‘Standard Met’ or ‘Standard Exceeded’
    • a current ISO 27001:2013 certificate issued by an UKAS-accredited certification body

  • the data processor must have paid the relevant data protection fee to the ICO (see Approval standard and guidelines: data protection registration)

7. The application must include a project-specific data flow diagram to visualise the proposed data system and demonstrate the proposed design for secure data processing. For further details, see the Approval standards and guidelines: data flow diagram.

8. Where the data processor will be appointed and instructed to process personally identifiable data:

  • the application must demonstrate that the data processor can lawfully process the data
  • the documented instruction to the data processor must be explicitly described in the project’s privacy notice (for further details see the Approval standards and guidelines: privacy notice)

Guidelines

Article 4 of UK GDPR defines a ‘data processor’ as a person, authority, or body that processes data for a data controller. The Data Protection Act (DPA) 2018 definition of processor that applies to general processing covered under Part 2 of the DPA 2018 mirrors the UK GDPR definition (section 5, DPA 2018).

Processing refers to a wide range of operations and uses of personal data. These can be either manually or automated.

The definition of processing under Article 4(2) of UK GDPR is: 

any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Examples of processing include:

  • collection
  • recording
  • storage
  • alteration
  • adaptation
  • retrieval
  • use
  • linkage
  • disclosure by transmission
  • dissemination
  • erasure
  • destruction

Data processors can include routine business functions or ad hoc commissioned services, such as:

  • cloud hosting arrangements to securely store the data
  • a specialist organisation instructed to support the distribution of surveys or invitation letters to participate in a study
  • third-party analysis, consultation or interpretation of data

The general obligations of data processors are explained in Article 28 of UK GDPR.

Application requirements

If a third party (a person, public authority, agency or other body) will be appointed to act on the documented instructions of the primary applicant to process the data and the data cannot be rendered anonymous to the ISB1523: Anonymisation Standard for Publishing Health and Social Care Data, in the application you must:

  • complete Section H: Data processor(s) acting under instruction of the UKHSA data application form
  • include a fully executed data processing agreement
  • demonstrate that as the data controller, you can assure UKHSA that any processing conducted by the data processor will be lawful, ethical and secure
  • complete, where more than one data processor (or their respective sub-processor) is to be instructed to process the data (entirely or in part), a data processor form using Appendix 2 of the UKHSA data application form

For each processor (or their respective sub-processors), a fully executed data processing agreement must accompany your application. The data processing agreement must comply with the obligations prescribed in Article 28 of UK GDPR.

You must ensure that the data flow diagram details any processing operations between the controller and the processor acting under instruction. For further guidance, refer to Approval standards and guidelines: data flow diagram.

Should your application be positively assessed, each agreed data processor will be named within the data sharing contract. This contract will prohibit any other processors from processing UKHSA data without prior written authorisation of UKHSA.

Data processing agreement

Article 28 of UK GDPR describes that whenever a data controller instructs a data processor to process data on its behalf, the processing must be governed by a contract (also referred to as a data processing agreement) or other legal agreement.

The data processing agreement must, at a minimum, contain the following details – the:

  • subject matter of processing
  • duration of the processing
  • nature and purpose of the processing
  • type of personal data involved
  • categories of data subject
  • controller’s obligations and rights

A data processing agreement must also contain the following mandatory provisions – that:

  • the processor will only process personal data received from the controller upon documented instruction from the controller (unless required by law to process personal data without such instructions) including in respect of international data transfers
  • the processor ensures that any person processing personal data is subject to a duty of confidentiality; for further information regarding the requirements to be met when confidential patient information is being processed, see Approval standards and guidelines: confidential patient information and Approval standards and guidelines: lawful basis (UK GDPR)
  • the processor takes all measures required pursuant to Article 32 of UK GDPR (Security of Processing) including but not limited to implementing appropriate technical and organisational measures to protect personal data received from the controller
  • the processor obtains either a prior specific authorisation or general written authorisation for any sub-processors the processor may engage to process the personal data received from the controller – the processor must further ensure that where a general written authorisation to the processor engaging sub-processors is obtained, the controller has the opportunity to object in advance of each individual sub-processor being appointed by the processor
  • any sub-processors engaged by the processor are subject to the same data protection obligations as the processor and that the processor remains directly liable to the controller for the performance of a sub-processor’s data protection obligations
  • the processor assists the controller by appropriate technical and organisational measures to respond to data subject rights’ requests laid down in Chapter 3 of UK GDPR
  • the processor assists the controller to ensure compliance with obligations under UK GDPR in relation to security of data processing (UK GDPR Article 32), notification of data breaches (UK GDPR Article 33 and Article 34) and data protection impact assessments (UK GDPR Article 35 and Article 36)
  • at the end of the data processing by the processor and on the controller’s instruction, the processor deletes or returns the personal data received from the controller
  • the processor makes available to the controller all information necessary to demonstrate compliance with Article 28 of UK GDPR and that the processor allows for and contributes to audits conducted by the controller or a third party on the controller’s behalf

Other provisions which may be included in data processing agreements

There are a number of other provisions which you may wish to include in data processing agreements which are recommended by the ICO. Such provisions may include but are not limited to:

  • liability provisions (including indemnities)
  • detailed (technical) security provisions
  • additional cooperation provisions between the controller and processor

As a matter of good practice, the ICO further recommends that data processing agreements state that nothing relieves the processor of its direct responsibilities and liabilities under UK GDPR.

When establishing data processing arrangements, it is recommended that you review the guidance available on the ICO website (see ICO Guide to the UK GDPR: Accountability and governance: Contracts).

Security obligations

Article 32(1) of UK GDPR requires processors to implement appropriate technical and organisational measures to ensure a level of security for personal data appropriate to the risk. This may include the following types of measures when appropriate:

  • pseudonymisation and encryption of personal data
  • ensuring the confidentiality, integrity, availability, and resilience of processing activities
  • the ability to restore personal data in a timely manner in the event of a physical or technical incident
  • regular security testing, assessing, and evaluating the effectiveness of technical and organisational measures to ensure the security of processing

UKHSA accepts 2 types of organisational and technical assurance as evidence, a:

  • valid Data Security and Protection Toolkit to ‘Standard Met’ or ‘Standard Exceeded’
  • current ISO 27001:2013 certificate issued by a UKAS-accredited certification body

For more guidance on UKHSA’s expectations of appropriate organisational and technical assurances, refer to Approval standard and guidelines: data security.

Guidance from the ICO

The ICO has published guidance and a checklist to assist organisations in drafting compliant data processing agreements – see ICO Guide to the UK GDPR: Contracts and liabilities between controllers and processor: What needs to be included in the contract?).

Back to top