Hello my name is Catherine Day and I am a Senior Case Officer within the Data Access Request Service.
This video is one of a series of presentations designed to help you use our Data Access Request Service as effectively as possible.
You can view the other videos in this series on our YouTube channel using the following address – www.youtube.com/user/HSCIC1
NHS Digital has published a number of standards in relation to how we assess applications for data from NHS Digital. These are designed to be transparent and to help you in completing the relevant section of your online application for data.
This presentation will provide detail on the agreed standard for completing the following section of the application: Processors.
Article 4, Section 8 of the General Data Protection Regulation, or GDPR, defines a processor as a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
Within your application we look for you to list any organisation that will be processing data that is not anonymous including data containing identifiers, pseudonymised data and aggregated data where small numbers are not suppressed in line with guidance.
The definition of processing under Article 4, Section 2 of GDPR is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
A controller determines both the purposes and the means of processing personal data and the processor is responsible for processing personal data on behalf of a controller.
All organisations who are processes of NHS digital record level data must be detailed as such in the application for data.
A processor of NHS Digital record level data must meet the definition set out in article 4, section 8 of GDPR.
Each processor of NHS Digital record level data is required to have the following in place - adequate security assurance and there is a separate standard on security assurance requirement and also to have paid the relevant data protection fee to the ICO. Please see the ICO website for further information or the separate standard on DPA Registration.
Whilst the controller for NHS Digital record level data may process data themselves, each and every separate legal entity who processes NHS Digital record level data on behalf of a Controller must only act on the documented instructions of the controller.
NHS Digital require confirmation within the application that such documented instructions will be in place prior to processing NHS Digital record level data by a processor (and remain in place during that processing) this is one of the criteria that is reviewed during an audit.
If a Controller is processing any NHS Digital record level data then they should also be listed as a Processor.
Processors of NHS Digital record level data are subject to a number of additional obligations on the Data Protection legislation and parties are advised to consider those duties and responsibilities.
For further guidance please refer to the ICO website.
On DARS online we will require the following information for each data processor - the data processors location so the region for data processing considers only the record level data and outputs and any data not suppressed in line with guidance. For example, using record-level data derived from the data provided by NHS Digital in Ireland would mean that the EEA should be selected.
The use of anonymous data (for example in a research journal) does not need to be stated as a territory of use.
If data is intended to be processed or stored outside the EEA, a please contact NHS Digital at an early stage.
The organisation name and address of where the processing will take place, along with the name and an email address of the lead contact for the application will also be required, along with the security assurance and DPA registration (again there are separate standards available which cover these requirements). This information should be entered on the following page in DARS online.
Thank you for listening. We would welcome your feedback on this presentation. If you would like to provide feedback then please email us at [email protected].