Approval standards and guidelines: processing location
Updated 15 September 2023
© Crown copyright 2023
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/accessing-ukhsa-protected-data/approval-standards-and-guidelines-processing-location
Approval standard: processing locations
When must this standard be met
This standard must be met for all applications to access UK Health Security Agency (UKHSA) data classified as ‘Protected’.
Standard
1. The application must be descriptive of all processing locations to be used by the applicant or their engaged data processor. It must include:
- the postal address of each processing location, taking account of if the data will be shared or isolated to specific users, processed in several locations simultaneously, system architecture, and the difference between legal address and processing locations
- describe each processing location in the data flow diagram
2. The application must explain why each processing location is required for the project’s success in the scientific protocol.
3. The application must specify whether users of the data will be permitted remote access as well as the locations from which remote access is intended to take place. Where remote access will be granted to a user at their home address, the application does not need to include the home addresses of individuals but the mode and country of access.
4. Should the application include engaging one or more data processors, the application must:
- demonstrate compliance with the Approval standards and guidelines: engaging a data processor
5. Should the application include the use of a public or private cloud processing, the application must:
- demonstrate compliance with the Approval standards and guidelines: engaging a data processor, if applicable
- document the location of all data centres or servers and confirm that no data will be processed outside of the European Economic Area (EEA)
- confirm that adequate risk assessment has taken place relevant to the use of cloud processing – such assessment must take into account the National Cyber Security Centre’s 14 cloud security principles, the guide on Public sector use of the public cloud on GOV.UK, and the Health and social care Cloud Risk Framework from NHS Digital, to ensure that the system and data considered for cloud processing does not introduce any new risks
Guidelines
The definition of ‘processing’ appears at Article 4(2) of UK GDPR:
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means […]
This definition is intentionally broad, and it is followed by a non-exhaustive list of examples:
collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
In making a data application, this standard requires you to provide each location where protected data will be processed and assure UKHSA that these locations are within the boundaries of the EEA.
Where data processing will be distributed across multiple locations or users in different organisations, each processing location must be documented and justified. It is expected that if remote data access is to be granted, the locations of the end users of the data are known. This does not need to include the home addresses of individuals but the mode and country of access.
In addition to specifying the location, each processing location must have appropriate technical and organisational measures in place to protect the confidentiality, integrity, and availability of the data, as required by the Approval standards and guidelines: data security.
Countries in the EEA
All data must be restricted to being processed within the EEA. At the time of publication, the EEA countries consist of the European Union (EU) member states and the European Free Trade Association (EFTA) states:
- the EU member states are: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, the EU Institutions, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden
- the EFTA member states are the United Kingdom, Iceland, Liechtenstein, Norway and Switzerland
Processing location changes
Please keep in mind that any proposed changes to the organisations and/or locations that will be used for processing must be approved in advance by UKHSA.
Informing UKHSA after the change has been made, or failing to inform UKHSA at all, may be considered a breach of the data sharing contract and may necessitate the suspension of access to the data (if granted) or resubmission of your application (if under review).