Skip to main content
Creating a new NHS England: NHS England and NHS Digital merged on 1 February 2023. More about the merger.


Find out about the services we provide to commissioners and best practice for data controllers.

Best practice for data controllers

Suggested questions for data processor meetings

We've compiled a selection of suggested questions for data processor meetings. Open the drop-down option below to see them.

View our suggested questions

Have there been any changes to our data offering? Since the last meet or agreement.

Is our data being used elsewhere? (For example, to populate baseline or outlier reports). If so, where is that captured? When was it communicated to us as the Data Controller?

Is the storage location the same?

Processing changes – including cloud processing and extra DQ.

Are we prepared for a data breach?

Have we conducted a Privacy Impact Assessment (PIA)? These assessments reduce your risk of mishandling personal data.

Are we able to measure and demonstrate compliance with global data privacy regulations?

Have you identified and inventoried our data assets and processes used to process and store personal data?

Have you classified our data according to risk (high, medium, low)?

Who has access to our various data assets?

Have we calculated the financial impact of high-risk data if leaked?

Do we have the processes and resources in place to support data access requests from individuals?

Are all privacy notices and privacy policies kept up-to-date? 

Do we have up to date records of all data processing activities?

How long do we keep data? Do we have a data retention schedule in place that in line with legal and regulatory compliance?

Do we have mechanisms in place to destroy or delete data if requested to do so?

Do we have a regular or ongoing data audit process set up for the future?

Do we regularly review and monitor applicable security controls for securing data?

Do we have a way to monitor and detect security incidents continuously?

Have we set up appropriate incident management procedures to handle a security incident?

Do we know who and how to notify an impactful security breach?

Who is our Data Protection Officer contact? 

Last edited: 10 August 2022 11:18 am