Data sharing standard 5b - Processing activities

This section of the application shall provide detail on: 

1. Any flow of data into NHS Digital additionally identifying special categories of personal data such as health data.
2. Any flow of data out of NHS Digital additionally identifying special categories of personal data such as health data.
3. Any subsequent flows of data
4. Data flows should include detail of the level of data flowing at each stage
5. Which organisation(s) is/are processing which data at each stage (or providing a data flow diagram)
6. How the data is being processed at each stage/what is being done with the data to achieve the stated purpose
7. Details of any data linkages, or confirmation that data is not linked
8. Where linkage is permitted, an explanation of what steps are taken to mitigate any risk of reidentification outside of what is permitted by the DSA. Where multiple linkages are permitted the steps taken to mitigate the risk of reidentification should be set out for each stage/linkage.
9. Where data is being matched to publicly available data, an explanation of what steps are taken to mitigate any risk of reidentification outside of what is permitted by the DSA. This does not extend to data made public by the data subject for example via social media.
10. Where applicable, confirmation that there will be no requirement/attempt to re-identify individuals
11. Confirmation that data processing is only carried out by substantive employees of the data processor(s) and or data controller(s) who have been appropriately trained in data protection and confidentiality.
12. Where data processing is not carried out by substantive employees of the data processor(s) / data controller(s) detail of what contractual arrangements are in place to protect the data which include training in data protection and confidentiality.
13. Detail of how the data is being accessed by anyone accessing the data (secure environment/system access/remote access etc)
14. Where data is stored at premises which are owned by an organisation who is not named in the agreement, the storage arrangements must be explained e.g. the data is stored at X premises. All data stored at organisation X’s premises is held on servers owned/managed by organisation Y (who must be named in the agreement). Organisation X are not able to access the data or servers holding the data.
15. Any special conditions which should be made transparent to the public, should appear in this section (until such time as Special Conditions is published in the data release register). N.B. This does not include inaccessible/detailed conditions, such as small number suppression rules, which should be recorded in the Special Conditions section only.