Skip to main content
Data sharing standard 1c - Processors

This standard is part of a series of guidance documents to support the various stages of a DARS application.

 

Standard description

According to Article 4(8) of the General Data Protection Regulation (GDPR), "processor" means:

  • a natural or legal person1, public authority, agency or any other body 
  • which processes personal data on behalf of the controller

The definition of processing under Article 4(2) of GDPR is:

any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

A controller determines the purposes and means of processing personal data and a processor is responsible for processing personal data on behalf of a controller.

  1. All organisation(s) who is/are Processor(s) must be detailed as such in the application for data.
  2. A Processor must meet the definition set out in Article 4(8) of General Data Protection Regulation.
  3. Each Processor is required to have:
    • adequate security assurance (see separate standard on security assurance requirements)
    • paid the relevant data protection fee to the Information Commissioner's Office (ICO) - see ICO data protection fee guidance
  4. Whilst a Controller may process data themselves, each and every separate legal entity who processes data on behalf of a Controller must only act on the documented instructions of the controller. NHS Digital require confirmation within the application that such documented instructions will be in place prior to processing by a Processor (and remain in place during that processing). 

Processors are subject to a number of additional obligations under Data Protection legislation and parties are advised to consider these duties and responsibilities. For further guidance please see the ICO GDPR guide.

1 For example, a person or legal entity


Video

View a transcript of the processors guidance video.

Slide 1

Hello my name is Catherine Day and I am a Senior Case Officer within the Data Access Request Service.  

Slide 2

This video is one of a series of presentations designed to help you use our Data Access Request Service as effectively as possible.

You can view the other videos in this series on our YouTube channel using the following address – www.youtube.com/user/HSCIC1

NHS Digital has published a number of standards in relation to how we assess applications for data from NHS Digital. These are designed to be transparent and to help you in completing the relevant section of your online application for data.

This presentation will provide detail on the agreed standard for completing the following section of the application: Processors.

Slide 3

Article 4, Section 8 of the General Data Protection Regulation, or GDPR, defines a processor as a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

Within your application we look for you to list any organisation that will be processing data that is not anonymous including data containing identifiers, pseudonymised data and aggregated data where small numbers are not suppressed in line with guidance.

Slide 4

The definition of processing under Article 4, Section 2 of GDPR is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Slide 5

A controller determines both the purposes and the means of processing personal data and the processor is responsible for processing personal data on behalf of a controller.

All organisations who are processes of NHS digital record level data must be detailed as such in the application for data.

A processor of NHS Digital record level data must meet the definition set out in article 4, section 8 of GDPR.

Slide 6

Each processor of NHS Digital record level data is required to have the following in place - adequate security assurance and there is a separate standard on security assurance requirement and also to have paid the relevant data protection fee to the ICO.  Please see the ICO website for further information or the separate standard on DPA Registration.

Slide 7

Whilst the controller for NHS Digital record level data may process data themselves, each and every separate legal entity who processes NHS Digital record level data on behalf of a Controller must only act on the documented instructions of the controller.

NHS Digital require confirmation within the application that such documented instructions will be in place prior to processing NHS Digital record level data by a processor (and remain in place during that processing) this is one of the criteria that is reviewed during an audit.

If a Controller is processing any NHS Digital record level data then they should also be listed as a Processor.

Slide 8

Processors of NHS Digital record level data are subject to a number of additional obligations on the Data Protection legislation and parties are advised to consider those duties and responsibilities.

For further guidance please refer to the ICO website.

Slide 9

On DARS online we will require the following information for each data processor - the data processors location so the region for data processing considers only the record level data and outputs and any data not suppressed in line with guidance. For example, using record-level data derived from the data provided by NHS Digital in Ireland would mean that the EEA should be selected.

The use of anonymous data (for example in a research journal) does not need to be stated as a territory of use.

If data is intended to be processed or stored outside the EEA, a please contact NHS Digital at an early stage.

Slide 10

The organisation name and address of where the processing will take place, along with the name and an email address of the lead contact for the application will also be required, along with the security assurance and DPA registration (again there are separate standards available which cover these requirements). This information should be entered on the following page in DARS online.

Slide 11

Thank you for listening.  We would welcome your feedback on this presentation.  If you would like to provide feedback then please email us at enquiries@nhsdigital.nhs.uk.

Last edited: 28 July 2021 4:04 pm