Does the legal basis, as set out in the application, allow the applicant/data controller to onwardly share the data (for example - consider the specific permissions in any consent materials)?
The applicant must demonstrate why the sub-licence is for data that could not be supplied by NHS Digital directly - for example, combined with data NHS Digital does not hold. Accordingly, the application must detail how value is added to the data by the applicant prior to sub-licencing.
Any request for sub-licencing must be clear in the application and an indication given as to the anticipated volume/number of sub-licences as well as the potential length of the sub-licences.
The applicant must provide a briefing note which explains how NHS Digital’s Controller requirements are flowed down on to the sub-licences.
The applicant must provide:
- a copy of the template sub-licence agreement
- detail of how sub-licences and the terms of the sub licence are approved - for example, what due diligence is undertaken, when/how should data be shared, must data be record level or aggregated ?
- terms of reference and composition of membership of any sub-licence approval group
- information governance criteria applied by the sub-licence approval group to applications for data
- detail of the legal basis for sharing of the data
- how the duty of confidentiality is addressed (where appropriate)
The applicant must set out in, the purpose section, the assessment criteria that it will use in determining who to grant sub-licences to and on what conditions. For example, the nature and type of sub-licence should be identified in the application (such as research by UK universities only), with an explanation of:
- what sharing is meant to achieve
- what information to be shared
- who needs access
In general, applicants will need to show that sub-licencing will be in the public interest and that the data will be used either (i) for the provision of health care or adult social care; or (ii) for the promotion of health. Applicants will also need to explain how they will ensure that sub-licences respect and promote the privacy of recipients of health services and of adult social care associated with the data that they receive.
Territory of use in the sub-licence must be the same or narrower than the territory of use permitted by the Data Sharing Framework Contract between NHS Digital and the applicant.
Applicants must have a release register detailing any sub-licences and onward sharing. Release registers must be updated within one month of the date of the sub-licence. The applicant must provide sufficient detail to NHS Digital to enable the NHS Digital release register to be updated.
The applicant should take responsibility for the actions and omissions of all sub-licences. Breach of a sub-licence should automatically be regarded as breach of the Data Sharing Framework Contract.
In the event of termination or expiry of the Data Sharing Framework Contract between NHSD and the applicant, all sub-licences shall automatically terminate.
A presumption against sub-licencing applies where the applicant intends to allow use of data for purposes such as marketing, sales or insurance or where there may be international transfers of data (potentially including the EEA since 31 January 2020). This presumption can be rebutted but a strong case to show the public interest will be required in order for this to occur.
NHS Digital will require the ability to audit the sub-licence.